LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Annoying windoze problems in my Apache server logs (https://www.linuxquestions.org/questions/linux-security-4/annoying-windoze-problems-in-my-apache-server-logs-44248/)

MasterC 02-05-2003 07:24 PM
Annoying windoze problems in my Apache server logs
 
Hello! I've got this really annoying problem in my apache server logs, in both "/var/log/apache/access_log and in /var/log/apache/error_log

I don't know if this is much of a security problem (although if I were running another OS it might be ;) ) but I am more wondering how to have these not even show up in my logs, or filter them into another log such as /dev/null or something. I've taken some exerpts from both log files so you can get a feel for what I am talking about:

From /var/log/apache/access_log:
Code:
4.65.236.42 - - [05/Feb/2003:16:54:20 -0800] "GET /scripts/..%c1%1c../winnt/syst
em32/cmd.exe?/c+dir HTTP/1.0" 404 305
4.65.236.42 - - [05/Feb/2003:16:54:24 -0800] "GET /scripts/..%c0%2f../winnt/syst
em32/cmd.exe?/c+dir HTTP/1.0" 404 305
4.65.236.42 - - [05/Feb/2003:16:54:27 -0800] "GET /scripts/..%c0%af../winnt/syst
em32/cmd.exe?/c+dir HTTP/1.0" 404 305
4.65.236.42 - - [05/Feb/2003:16:54:32 -0800] "GET /scripts/..%c1%9c../winnt/syst
em32/cmd.exe?/c+dir HTTP/1.0" 404 305
4.65.236.42 - - [05/Feb/2003:16:54:34 -0800] "GET /scripts/..%%35%63../winnt/sys
tem32/cmd.exe?/c+dir HTTP/1.0" 400 289
4.65.236.42 - - [05/Feb/2003:16:54:36 -0800] "GET /scripts/..%%35c../winnt/syste
m32/cmd.exe?/c+dir HTTP/1.0" 400 289
And more from /var/log/apache/access_log:

Code:
.65.194.47 - - [05/Feb/2003:16:24:44 -0800] "GET /scripts/..%25%35%63../winnt/s
ystem32/cmd.exe?/c+dir HTTP/1.0" 404 306
4.65.194.47 - - [05/Feb/2003:16:24:45 -0800] "GET /scripts/..%252f../winnt/syste
m32/cmd.exe?/c+dir HTTP/1.0" 404 306
4.65.236.42 - - [05/Feb/2003:16:53:53 -0800] "GET /scripts/root.exe?/c+dir HTTP/
1.0" 404 284
4.65.236.42 - - [05/Feb/2003:16:53:56 -0800] "GET /MSADC/root.exe?/c+dir HTTP/1.
0" 404 282
4.65.236.42 - - [05/Feb/2003:16:54:00 -0800] "GET /c/winnt/system32/cmd.exe?/c+d
ir HTTP/1.0" 404 292
4.65.236.42 - - [05/Feb/2003:16:54:03 -0800] "GET /d/winnt/system32/cmd.exe?/c+d
ir HTTP/1.0" 404 292
4.65.236.42 - - [05/Feb/2003:16:54:07 -0800] "GET /scripts/..%255c../winnt/syste
m32/cmd.exe?/c+dir HTTP/1.0" 404 306
4.65.236.42 - - [05/Feb/2003:16:54:10 -0800] "GET /_vti_bin/..%255c../..%255c../
..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 323
4.65.236.42 - - [05/Feb/2003:16:54:13 -0800] "GET /_mem_bin/..%255c../..%255c../
..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 323
4.65.236.42 - - [05/Feb/2003:16:54:17 -0800] "GET /msadc/..%255c../..%255c../..%
255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 40
4 339
From /var/log/apache/error_log:

Code:
[Sun Jan 19 06:57:38 2003] [error] [client 4.65.71.160] File does not exist: /va
r/www/htdocs/c/winnt/system32/cmd.exe
[Sun Jan 19 06:57:39 2003] [error] [client 4.65.71.160] File does not exist: /va
r/www/htdocs/d/winnt/system32/cmd.exe
[Sun Jan 19 06:57:40 2003] [error] [client 4.65.71.160] File does not exist: /va
r/www/htdocs/scripts/..%5c../winnt/system32/cmd.exe
[Sun Jan 19 06:57:40 2003] [error] [client 4.65.71.160] File does not exist: /va
r/www/htdocs/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Sun Jan 19 06:57:41 2003] [error] [client 4.65.71.160] File does not exist: /va
r/www/htdocs/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
I am guessing it's some sort of virus for winbloze.

Anyway, anyone got any ideas on how to rid my logs of the flaws of others ;)

Cool

Crashed_Again 02-05-2003 08:08 PM
Yup. Nimda or CodeRed virus. I asked this question before and nobody had an answer on how to get these out of the log file. I wanted to get rid of those log entries for so long but now I kind of like them because they remind me why I don't use M$.

By the way: I wonder how many Linux server were effected by the "SQL Slammer" worm. Oh yeah thats right. none

MasterC 02-05-2003 09:25 PM
Thanks :) How about a reverse IP lookup then? So I can send an email or something to this IP to let them know how annoying it is, or rather that this is happening.

:)

Cool

unSpawn 02-06-2003 06:03 AM
In your logrotate script add something like:
prerotate
grep /var/log/apache/access_log -ve "cmd.exe" > /var/tmp/apache/access_log
mv -f /var/tmp/apache/access_log /var/log/apache/access_log
endscript

IMO email notification is an applaudable thing but in these cases usually won't do more than easy your mind you've done "everything". Find their upstream ISP's (Verizon) abuse address and mail them.

jharris 02-06-2003 07:12 AM
Re: Annoying windoze problems in my Apache server logs
 
Quote:
Originally posted by MasterC
Anyway, anyone got any ideas on how to rid my logs of the flaws of others ;)
Apache's conditional logging could be used stop you logging any mention of cmd.exe. For example (in httpd.conf)...
Code:
SetEnvIf Request_URI "/cmd.exe/" dontlog
# Log what remains

CustomLog /var/log/access_log.gz combined env=!dontlog
HTH - that RegExp is probably better as /cmd\.exe/ as I think the original would match cmd then any character followed by exe.

Jamie...

MasterC 02-12-2003 05:15 PM
Re: Re: Annoying windoze problems in my Apache server logs
 
Quote:
Originally posted by jharris
Apache's conditional logging could be used stop you logging any mention of cmd.exe. For example (in httpd.conf)...
Code:
SetEnvIf Request_URI "/cmd.exe/" dontlog
# Log what remains

CustomLog /var/log/access_log.gz combined env=!dontlog
HTH - that RegExp is probably better as /cmd\.exe/ as I think the original would match cmd then any character followed by exe.

Jamie...
Ok, I tried this one first (Just randomly picked it) however, it doesn't seem to work. I've tried both of these entries for at least a day per entry:
Code:
#Test to stop windoze bothersome virus logs (thread is located at:http://www.lin
uxquestions.org/questions/showthread.php?s=&threadid=44248
SetEnvIf Request_URI "/cmd\.exe/" dontlog
# Log what remains

CustomLog /var/log/access_log.gz combined env=!dontlog
Code:
#Test to stop windoze bothersome virus logs (thread is located at:http://www.lin
uxquestions.org/questions/showthread.php?s=&threadid=44248
SetEnvIf Request_URI "/cmd.exe/" dontlog
# Log what remains

CustomLog /var/log/access_log.gz combined env=!dontlog
And I've also used variations like (currently):
Code:
#Test to stop windoze bothersome virus logs (thread is located at:http://www.lin
uxquestions.org/questions/showthread.php?s=&threadid=44248
SetEnvIf Request_URI "/cmd\.exe?/" dontlog
# Log what remains

CustomLog /var/log/access_log.gz combined env=!dontlog
But still no dice. So now for the next week, I'll try to figure out how to implement your suggest UnSpawn since I don't know where my logrotate script is (or maybe I've got to set one up). :) I'll post back with the results. Thanks for the replies so far.

Cool


All times are GMT -5. The time now is 07:51 PM.