LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-25-2003, 12:00 PM   #1
Crashed_Again
Senior Member
 
Registered: Dec 2002
Location: Atlantic City, NJ
Distribution: Ubuntu & Arch
Posts: 3,503

Rep: Reputation: 57
IIS Viruses


Hey all! I'm just throwing this out here to get some feedback. This is not an urgent post. Okay so everybody is who running Apache has surely seen entries in the Apache Access log file that look like this:

stupid.iis.com - - [25/Jan/2003:10:41:28 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1266 "-" "-"

I'm so sick of seeing these entries in my log files. It just furthers my hatred towards the "Evil Empire". Could we possibly have a script that identifies these requests and denies these servers further access?

The majority of these requests start like this:
"GET /scripts...."
"GET /c/winnt..."
"GET /d/winnt..."
"GET some other exploits"

Okay maybe totally blocking out these servers is a little dramatic but I'm just sick and tired of seeing these lines in my log files.

Does anyone else feel my pain?
 
Old 01-25-2003, 12:16 PM   #2
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Rep: Reputation: 46
Blocking this on the logging would require modification of the log module ... don't know of any other way to block those things ... you could write a script which checks your apache log files and eliminates all entries that are not required to be checked ... and save the new file as log_to_check.access or whatever
 
Old 01-25-2003, 12:40 PM   #3
Bert
Senior Member
 
Registered: Jul 2001
Location: 406292E 290755N
Distribution: GNU/Linux Slackware 8.1, Redhat 8.0, LFS 4.0
Posts: 1,004

Rep: Reputation: 46
I believe the purpose of the log is to identify all incoming traffic. This is just a script kiddie's program trying to do stuff. At the most it'll add a few kilobytes to the log after you've archived them, but I'd just let the kid knock and ignore it.
 
Old 01-25-2003, 12:49 PM   #4
Darin
Senior Member
 
Registered: Jan 2003
Location: Portland, OR USA
Distribution: Slackware, SLAX, Gentoo, RH/Fedora
Posts: 1,024

Rep: Reputation: 45

Here is an evil thought that won't help but might make you feel better...

Make a readable folder called c/winnt somewhere on your web server and start a collection of windows virii there.
 
Old 01-25-2003, 12:57 PM   #5
Crashed_Again
Senior Member
 
Registered: Dec 2002
Location: Atlantic City, NJ
Distribution: Ubuntu & Arch
Posts: 3,503

Original Poster
Rep: Reputation: 57
What does the virus do? It looks like its trying to "GET" this folder. What if I put some .exe file in there. Would it download the file? Oh boy people could have fun with this.
 
Old 01-28-2003, 01:58 PM   #6
int0x80
Member
 
Registered: Sep 2002
Posts: 310

Rep: Reputation: Disabled
Quote:
Originally posted by Crashed_Again

What does the virus do? It looks like its trying to "GET" this folder. What if I put some .exe file in there. Would it download the file? Oh boy people could have fun with this.

It's trying to gain System access to a Windows machine via vulnerable IIS webserver. Try searching Google for Code Red, Nimda, and SirCam.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
New to Apache from IIS happybattles Linux - Software 2 08-31-2005 11:32 PM
IIS + Apache* mosherben Linux - Networking 3 05-04-2004 12:31 PM
IIS on a SAMBA share pretocj2 General 1 03-23-2003 08:27 AM
IIS or Apache? mib Linux - Newbie 13 03-16-2003 08:16 PM
IPCHAINS + IIS ctenuta Linux - Networking 0 04-11-2001 02:10 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:36 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration