LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 04-25-2004, 10:11 PM   #1
dm0nkz
LQ Newbie
 
Registered: Feb 2003
Posts: 8

Rep: Reputation: 0
Analyzing Apache Logs


Recently Ive been having some consistently annoying logs on my apache server.
Although it doesnt really compromised my system in terms of breaking in,
however its really getting annoying and i think that the attacker is both wasting
his/her and my bandwidth...



here is a copy of the log... (I CHANGED THE IP OF COURSE :-))

253.1a1.aaa.186 - - [26/Apr/2004:18:51:45 +0800] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb
1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02
\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02
\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02
\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\
xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\
xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02
\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
... more lines like the above ...
... more lines like the above ...
... more lines like the above ...
... more lines like the above ...
0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 414 340 "-" "-"

--------------------- end of log -----------------------

its been hogging my logs and its occuring at a constant rate...


Some questions that i have..
1) Is anyone familiar with this attack?
2) Does apache have a defense mechanism for this?
3) what are the ways to defend against this annoying attacks?

im thinking of putting up a string matching .. "x02\xb1" to my iptables
firewall?

I would appreciate all comments, suggestions, and information...
Thanks in advance!

God Bless.

dm0nkz
 
Old 04-26-2004, 11:46 AM   #2
shubb
Member
 
Registered: Oct 2003
Location: San Francisco
Distribution: Slackware 13.37
Posts: 150

Rep: Reputation: 16
I have seen this same log message coming in my server logs for months, and it is the Welchia webdav exploit for Windows servers. The normal iptables does not have a way to block this, since it only looks at the IP headers, and not at the payload of the packet. There is a patched version of iptables called patch-o-matic that can filter on the TCP data. You have to re-compile your kernel with the new code, so you have to know what you are doing to apply it. Here's an article about it.

http://www.linuxsecurity.com/feature...story-148.html
 
Old 04-26-2004, 03:50 PM   #3
moonloader
Member
 
Registered: Nov 2003
Location: linuxquestions.org
Distribution: Linux and BSD
Posts: 229

Rep: Reputation: 30
Re: Analyzing Apache Logs

Quote:
Originally posted by dm0nkz
Recently Ive been having some consistently annoying logs on my apache server.
Although it doesnt really compromised my system in terms of breaking in,
however its really getting annoying and i think that the attacker is both wasting
his/her and my bandwidth...



here is a copy of the log... (I CHANGED THE IP OF COURSE :-))

253.1a1.aaa.186 - - [26/Apr/2004:18:51:45 +0800] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb
1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02
\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02
\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02
\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\
xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\
xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02
\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
... more lines like the above ...
... more lines like the above ...
... more lines like the above ...
... more lines like the above ...
0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 414 340 "-" "-"

--------------------- end of log -----------------------

its been hogging my logs and its occuring at a constant rate...


Some questions that i have..
1) Is anyone familiar with this attack?
2) Does apache have a defense mechanism for this?
3) what are the ways to defend against this annoying attacks?

im thinking of putting up a string matching .. "x02\xb1" to my iptables
firewall?

I would appreciate all comments, suggestions, and information...
Thanks in advance!

God Bless.

dm0nkz
who knows,maybe someone is trying to exploit you web server remotly!there are many exploits out there!don't forget to update and to use the latest version.you can test your web server easly with nessus or nicto or sara or satan and they will tell you a lot.if you know the attacker's ip then jus block it the ip range or ban it,there are many scripts for that on the web

good luck
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache logs empty nikonos Linux - Newbie 3 04-26-2014 03:09 PM
About Apache Logs SiLiCoN Linux - Networking 1 05-26-2005 10:34 AM
Apache Logs Valso Linux - Software 2 11-05-2004 03:13 PM
Moving Apache logs pembo13 Linux - Networking 2 08-26-2004 06:49 PM
Apache logs - ???Linux logs??? mylo2003 Linux - General 3 08-07-2003 04:49 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 12:28 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration