Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Attack on apache, maybe??? 4

Status
Not open for further replies.
hagai

hagai

Technical User
Aug 4, 2001
3
CA
Hi, I am not a newbee when it comes to linux and apache but over the last few days i noticed something weired with my apache access logs. Below is an example of what i mean:

24.100.202.84 - - [03/Aug/2001:14:13:22 -0400] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u909
0%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 247
24.100.148.152 - - [03/Aug/2001:14:15:33 -0400] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u90
90%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 247

Never from the same ip. Does anyone know what this is? Is is some kind of memory overflow attack?

Thanks

Hagai
 
Sort by date Sort by votes
This is the dreaded Code Red worm (do a search on Cnet, or ZDNet, or any major computer-related website). Well, dreaded if you run IIS. Don't worry; it can't do anything to Apache.

See thread83-115397
 
Upvote 0 Downvote
How can I strip these lines from my access_log file?

I can grep to extract them to a file which I can then examine and notify ISPs, but I'd like to remove the lines from the access_log file.

When I check my stats for hits and stuff I got hundreds of those lines which are screwing up my reports.

 
Upvote 0 Downvote
I am CONSTANTLY getting the same thing in my access log...(34 TIMES TODAY ALONE! - it is only 1030am here!) i thought maybe it was a hack attempt. my error log is showing (seemingly in response to these "attacks")
"File does not exist: c:/apache/htdocs/default.ida"

on occasion my server is brought down, could this be causing my occasional outages? What exactly is happening when this access is attempted? where is it coming from? so many questions could someone please clue me up?
 
Upvote 0 Downvote
Relax... this attack can't do anything to your system unless you have a default install of a recent version of Internet Information Server, from Microsoft.

The Code Red worm is simply querying IP addresses at random, posing as a web browser, hoping the computer at that address is running IIS, with the file default.ida available. If that file is unavailable, (as it is in Apache) then the only thing that will happen is your server will respond with an Error 404 page, and log an event into your error_log file.

And these attacks would have to be in significantly higher quantity to simply take your server down, as with a DoS attack (a flood of bad requests). I have had almost 3000 attempts on my home DSL system with Apache installed, but even that is relatively low bandwidth (total bandwidth usage:a couple of megs). More likely it is your ISP that is suffering from too much traffic through its routers, since there are still many infected IIS stations. See thread83-115397
 
Upvote 0 Downvote
i'm getting the same lines in my logs, but since these messages started to appear, the navigation on my site is somehow broken
every link i click i'm getting only the index page or i get the "cannot find server" error
is that somehow bound with the code red worm or is that an apache problem, the files my web page is using have not been change
help plz
 
Upvote 0 Downvote
Ok...

One more time...

CODE RED CANNOT HURT APACHE...
except if 1000's of them are hitting you at one time and overload your resources (possible, but not bloody likely)

at the height of code red, my webservers were averaging 1000-3000 of these a day with no ill effects on my servers...

Moral of the story... keep FAR awayfrom any M$ product :)

---
John Hoke
 
Upvote 0 Downvote
piti- Obviously something else is wrong with Apache, and without any details, there is no way we can help. I suggest you start a new thread in the Apache forum, explain exactly how you installed Apache, and give as much detail as possible about when and how the error happens.
 
Upvote 0 Downvote
well the link problem disapeared :)
while i was searching the logs for answers, my colleague found out it is already working normaly
on the clients reactions we know, that the described situation lasted for about 3 days
and i stil don't know what was the problem and how it was "repaired"
but thanks for your interrest
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

AbidingDude
  • Locked
  • Question
Newbie Apache Cache Question
Replies
5
Views
195
AbidingDude
AbidingDude
bhuv560
  • Locked
  • Question
Postfix Installation on EC2 AWS Linux
Replies
0
Views
86
bhuv560
bhuv560
daniel.warner
  • Locked
  • Question
Desperately need help setting up wildcard certs on Apache/Tomcat
Replies
2
Views
148
daniel.warner
daniel.warner
gregor weertman
  • Locked
  • Question
set samba "template shell" dependent on group
Replies
0
Views
77
gregor weertman
gregor weertman
lslamp
  • Locked
  • Question
Bash Onliner ... 1
Replies
2
Views
147
lslamp
lslamp

Part and Inventory Search

Sponsor

Back
Top