weird Apache log entry
 

I found this in my apache acess log:

216.174.251.43 - - [09/Jan/2003:14:02:11 -0600] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucb d3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 320 "-" "-"

I'm used to seeing all the IIS red worm entries but this is one I havne seen before. Should I be worried? My error log shows that ip sent malformed host header.

hi, i get very similiar entries to the one u have mentioned! i have given up checking the IP and trying to sus out what each and every one is!!! :)

but if anyone else knows what the entry is, i would also like to know exactly what it means!

Ed.

i get these on one of my servers all the time

basically its one of those 'bugs' that are so rare in windows :rolleyes:

basically its overloading a buffer of some sort, then in your case you have got %xxx %xxx %xxx after the NNNNN's that is using some sort of encoding each number will represent a letter or number if you can decode it it would be the same ( i think ) as the plane text version

its nothing to worry about on a linux box


my server that used to be iis had this attack got hacked and was running some sort of IRC server in the back ground because of it and the default page ( index.html ) was replaced by something like i got hacked by some cult in some far distant place and that why i run linux

or you could tick them off a little by creating default.ida in the root of your server and put a nice 'polite' message in there ;)

now I'm intrigued. What exactly is a default.ida?

to be perfectly honest, i have no idea

its probably one of microsoft default files
as far as i can tell when you install IIS you are suppost to disable the default www site then create a new site, basicaly this default.ida and all the bugs reside on this default website config


this is not an advert, but because i have seen how crap iis is and if some one asked me to run an asp server i would get them to buy an out of the box rack server similar to that of sun cobalt raq3/4 or a matrix rack server

it come with the front page extention modules and extra modules to run the asp script

or i would highy recomend converting to PHP ( cos its just so good i.e. creating images on the fly pdf files on the fly need i go on ? )

That is an IIS exploit, I believe its Nimda.

I get these kinds of log entries daily on my linux server

"GET /scripts/root.exe?/c+dir HTTP/1.0" 404 384 "-" "-"

This may be a silly question but if this is a known exploit then would it be possible to actually have a root.exe file that would patch the infected server or try to inform the server that it is infected? Or what about a root.exe file that adds the infected server to the hosts.deny file so that you don't have to look through all these dam log entries with Windows exploits.

the root.exe thing is strictly an IIS thing. Theres also one that looks for cmd.exe, same deal. I get hundreds of those a day. I imagine that you if you were running an IIS server and you put the patch in there and named cmd.exe or whatever, I would think that if the server were to get infected that the first thing it would do is overwrite that file. Ya Think?

my ex iis server was infected from these attacks and cmd was not replaced

cmd.exe from what i can remember is like sh/bash on linux its the command interpreter root.exe i dont know what the heck that is just a back door i suspect