access and error log 2

[getingrey]

Help required ...my access log looks like the following all day each day....24.67.180.145 - - [21/Sep/2001:14:18:20 -0700] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 280
24.67.180.145 - - [21/Sep/2001:14:18:21 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 278
24.67.180.145 - - [21/Sep/2001:14:18:21 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 288
24.67.180.145 - - [21/Sep/2001:14:18:21 -0700] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 288
24.67.180.145 - - [21/Sep/2001:14:18:21 -0700] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 302
24.67.180.145 - - [21/Sep/2001:14:18:21 -0700] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 319
24.67.180.145 - - [21/Sep/2001:14:18:21 -0700] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 319
24.67.180.145 - - [21/Sep/2001:14:18:22 -0700] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 335
24.67.180.145 - - [21/Sep/2001:14:18:22 -0700] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 301
24.67.180.145 - - [21/Sep/2001:14:18:22 -0700] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 301
24.67.180.145 - - [21/Sep/2001:14:18:22 -0700] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 301
24.67.180.145 - - [21/Sep/2001:14:18:22 -0700] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 301
24.67.180.145 - - [21/Sep/2001:14:18:22 -0700] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 285
24.67.180.145 - - [21/Sep/2001:14:18:23 -0700] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 285
24.67.180.145 - - [21/Sep/2001:14:18:23 -0700] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 302
24.67.180.145 - - [21/Sep/2001:14:18:23 -0700] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 302

My error log mirrors this with errors

Is my server or machine compromised and how do I stop this from happening to my server?

Thanks in Advance
Grey

 

[RhythmAce]

If you're running under linux, you shouldn't have too much to worry about. If you get an e-mail called README.EML, I'd delete it without opening it because I heard it has a java script attached that can mess with your e-mail.

 

[Einstein47]

You questions are valid. Even though you are running Apache and this is the Nimba worm that *attacks* IIS, Nimba is *affecting* Apache by filling your logs with junk not to mention the bandwidth being wasted when you send back a 404 page to each of these requests.

In the interests of protecting yourself from further *hits*, do the following.

In your .htaccess file add the following lines:

redirect /scripts [URL unfurl="true"]http://stoptheviruscold.invalid[/URL]
redirect /c [URL unfurl="true"]http://stoptheviruscold.invalid[/URL]
redirect /d [URL unfurl="true"]http://stoptheviruscold.invalid[/URL]
redirect /_mem_bin [URL unfurl="true"]http://stoptheviruscold.invalid[/URL]
redirect /msadc [URL unfurl="true"]http://stoptheviruscold.invalid[/URL]
RedirectMatch (.*)\cmd.exe$ [URL unfurl="true"]http://stoptheviruscold.invalid[/URL]

If you can modify the httpd.conf file, then you could put these lines in there and all virtual servers will be protected too. This will redirect the attacks and keep your logs from filling up with junk. Einstein47
("For every expert, there is an equal and opposite expert." - Arthur C. Clarke)

 

[Tracey]

Wow, this is the info i was looking for..(i have the same prob) cheers!

Tell me.. if I were to put those entries into httpd.conf (i dont have a htaccess)would i be putting them where all the redirects for relocated docs go?

 

[danielhozac]

It doesn't really matter where you put it. //Daniel

 

[Tracey]

Hi again... Einstein if you are listening...

I entered those lines into my httpd.conf as instructed.. However the following lines appear in my access.log for last night...

mokey.intelligroup.co.nz - - [13/Aug/2002:11:30:18 +1200] "GET /scripts/root.exe?/c+dir HTTP/1.0" 302 299
mokey.intelligroup.co.nz - - [13/Aug/2002:11:30:19 +1200] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 280
mokey.intelligroup.co.nz - - [13/Aug/2002:11:30:19 +1200] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 313
mokey.intelligroup.co.nz - - [13/Aug/2002:11:30:19 +1200] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 313
mokey.intelligroup.co.nz - - [13/Aug/2002:11:30:19 +1200] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 323
mokey.intelligroup.co.nz - - [13/Aug/2002:11:30:19 +1200] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 290
mokey.intelligroup.co.nz - - [13/Aug/2002:11:30:19 +1200] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 343
mokey.intelligroup.co.nz - - [13/Aug/2002:11:30:19 +1200] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 374
mokey.intelligroup.co.nz - - [13/Aug/2002:11:30:20 +1200] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 324
mokey.intelligroup.co.nz - - [13/Aug/2002:11:30:20 +1200] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303
mokey.intelligroup.co.nz - - [13/Aug/2002:11:30:20 +1200] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 324
mokey.intelligroup.co.nz - - [13/Aug/2002:11:30:20 +1200] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 324
mokey.intelligroup.co.nz - - [13/Aug/2002:11:30:20 +1200] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 287
mokey.intelligroup.co.nz - - [13/Aug/2002:11:30:20 +1200] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 287
mokey.intelligroup.co.nz - - [13/Aug/2002:11:30:21 +1200] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 323
mokey.intelligroup.co.nz - - [13/Aug/2002:11:30:21 +1200] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 323

I am Assuming this is the same problem (nimda). I wouldnt be to concerned about it, using apache, however each attack seems to trigger a "freeze" of my cgi application (.exe) which runs on this machine, effectively bringing my web server to a halt. I assume this because this is what i find in my error.log.

[Mon Aug 12 09:15:11 2002] [error] [client 210.55.240.179] File does not exist: c:/apache/htdocs/scripts/..%5c/winnt/system32/cmd.exe
[Mon Aug 12 09:15:27 2002] [error] [client 210.55.240.179] File does not exist: c:/apache/htdocs/scripts/..%5c/winnt/system32/cmd.exe
[Mon Aug 12 09:15:47 2002] [error] [client 210.55.240.179] Invalid URI in request GET /../winnt/system32/cmd.exe HTTP/1.1
[Mon Aug 12 17:16:32 2002] [error] [client 65.40.203.33] Client sent malformed Host header
[Mon Aug 12 17:43:36 2002] [error] [client 172.181.115.2] Client sent malformed Host header
[Mon Aug 12 20:00:19 2002] [error] [client 210.187.26.229] File does not exist: c:/apache/htdocs/msadc/root.exe
[Mon Aug 12 20:07:53 2002] [error] [client 210.187.26.229] File does not exist: c:/apache/htdocs/msadc/root.exe
[Mon Aug 12 20:11:49 2002] [error] [client 211.75.225.46] Client sent malformed Host header
[Mon Aug 12 21:34:46 2002] [error] [client 210.12.211.102] File does not exist: c:/apache/htdocs/msadc/root.exe
[Tue Aug 13 01:05:41 2002] [error] [client 210.3.177.179] File does not exist: c:/apache/htdocs/msadc/root.exe
[Tue Aug 13 07:07:29 2002] [error] [client 210.54.214.197] File does not exist: c:/apache/htdocs/msadc/root.exe
[Tue Aug 13 10:10:07 2002] [error] [client 80.24.228.251] Client sent malformed Host header
[Tue Aug 13 11:30:18 2002] [error] [client 210.54.214.197] File does not exist: c:/apache/htdocs/msadc/root.exe
[Tue Aug 13 11:41:39 2002] [error] [client 210.54.202.91] Premature end of script headers: c:/apache/cgi-bin/etime.exe
[Tue Aug 13 11:41:46 2002] [error] [client 210.54.202.91] Premature end of script headers: c:/apache/cgi-bin/etime.exe
[Tue Aug 13 11:41:51 2002] [error] [client 210.54.202.91] Premature end of script headers: c:/apache/cgi-bin/etime.exe

The premature end of script headers warning always seems to come at first access after an "attack"


Help me.... pleeeeze

 

[Einstein47]

Hmmm - sorry for the delay, I couldn't get to Tek-tips for a few weeks.

The article I got the info from is here

http://www.ecommercebase.com/printTemplate.php?aid=566

The lines that I found most useful in my httpd.conf file are:
RedirectMatch (.*)\cmd.exe

http://junk

RedirectMatch (.*)\root.exe http:/junk


You see the dollar sign ($) indicates the end of the line. So in my previous post, only the cmd.exe that was at the end of the line was caught. Removing the ($) should catch all references. Also adding the line for root.exe should help you too.

I don't know about why it would be causing your cgi to crash. Obviously the Nimba worm *can* affect Apache more than we realize.

Good luck, and let me know what you come up with. Einstein47
("For every expert, there is an equal and opposite expert." - Arthur C. Clarke)

 

[Tracey]

cheers for that Einstein

 

[Cadwalader]

I might be wrong...

From what I've found, that is the Code Red worm. If you have not been compromised by now, you are not going to be. I have seen the same thing in my logs.
My system is an HP XE 743, 600MHz Celeron, 512MB RAM, running the infamous, Windows 2000 Professional...I use Apache HTTP server and I had the same stuff going on...All I did was get Service Pack 3 and made sure Norton was running all the time, with a scan for viruses scheduled in sync with the ISP's downtime. Anyway, Code Red is what is doing that. Just check up on what to do to secure your platform/application against it.

hope this helps...

--Rich

 

[tr1sh]

This has been a great thread... But I have another concern since I have the same issue with Apache 2.039 (have to use for proxy for Weblogic so can't upgrade to 2.040) and it's on Windows 2K Server - do the suggest fixes, i.e. the configuration changes still work for Win @K?

 

[Einstein47]

They certainly won't hurt - I would suggest getting the patches from Microsoft for your Win2K OS to protect yourself from Nimba and Code Red. But since you are NOT using IIS, then *technically* you should be fine with these modifications.

If you are behind a firewall, then changes could be made there to better protect you. (changes were made to our firewall, but I don't know what they were). I haven't seen those garbage messages in months.

Good luck. Einstein47
("If vegetarians eat vegetables, what do humanitarians eat?&quot