Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
01-25-2003, 12:00 PM
|
#1
|
Senior Member
Registered: Dec 2002
Location: Atlantic City, NJ
Distribution: Ubuntu & Arch
Posts: 3,503
Rep:
|
IIS Viruses
Hey all! I'm just throwing this out here to get some feedback. This is not an urgent post. Okay so everybody is who running Apache has surely seen entries in the Apache Access log file that look like this:
stupid.iis.com - - [25/Jan/2003:10:41:28 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1266 "-" "-"
I'm so sick of seeing these entries in my log files. It just furthers my hatred towards the "Evil Empire". Could we possibly have a script that identifies these requests and denies these servers further access?
The majority of these requests start like this:
"GET /scripts...."
"GET /c/winnt..."
"GET /d/winnt..."
"GET some other exploits"
Okay maybe totally blocking out these servers is a little dramatic but I'm just sick and tired of seeing these lines in my log files.
Does anyone else feel my pain?
|
|
|
01-25-2003, 12:16 PM
|
#2
|
Senior Member
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467
Rep:
|
Blocking this on the logging would require modification of the log module ... don't know of any other way to block those things ... you could write a script which checks your apache log files and eliminates all entries that are not required to be checked ... and save the new file as log_to_check.access or whatever
|
|
|
01-25-2003, 12:40 PM
|
#3
|
Senior Member
Registered: Jul 2001
Location: 406292E 290755N
Distribution: GNU/Linux Slackware 8.1, Redhat 8.0, LFS 4.0
Posts: 1,004
Rep:
|
I believe the purpose of the log is to identify all incoming traffic. This is just a script kiddie's program trying to do stuff. At the most it'll add a few kilobytes to the log after you've archived them, but I'd just let the kid knock and ignore it.
|
|
|
01-25-2003, 12:49 PM
|
#4
|
Senior Member
Registered: Jan 2003
Location: Portland, OR USA
Distribution: Slackware, SLAX, Gentoo, RH/Fedora
Posts: 1,024
Rep:
|
Here is an evil thought that won't help but might make you feel better...
Make a readable folder called c/winnt somewhere on your web server and start a collection of windows virii there.
|
|
|
01-25-2003, 12:57 PM
|
#5
|
Senior Member
Registered: Dec 2002
Location: Atlantic City, NJ
Distribution: Ubuntu & Arch
Posts: 3,503
Original Poster
Rep:
|
What does the virus do? It looks like its trying to "GET" this folder. What if I put some .exe file in there. Would it download the file? Oh boy people could have fun with this.
|
|
|
01-28-2003, 01:58 PM
|
#6
|
Member
Registered: Sep 2002
Posts: 310
Rep:
|
Quote:
Originally posted by Crashed_Again
What does the virus do? It looks like its trying to "GET" this folder. What if I put some .exe file in there. Would it download the file? Oh boy people could have fun with this.
|
It's trying to gain System access to a Windows machine via vulnerable IIS webserver. Try searching Google for Code Red, Nimda, and SirCam.
|
|
|
All times are GMT -5. The time now is 01:36 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|