Hackers or what ?

[Neutje]

Check these error from my error log
it's full of it!

[Tue Sep 18 23:23:29 2001] [error] [client 217.136.81.96] File does not exist: e:/msadc/root.exe
[Tue Sep 18 23:23:30 2001] [error] [client 217.136.81.96] File does not exist: e:/c/winnt/system32/cmd.exe
[Tue Sep 18 23:23:30 2001] [error] [client 217.136.81.96] File does not exist: e:/d/winnt/system32/cmd.exe
[Tue Sep 18 23:23:40 2001] [error] [client 217.136.82.39] File does not exist: e:/scripts/root.exe
[Tue Sep 18 23:23:40 2001] [error] [client 217.136.82.39] File does not exist: e:/msadc/root.exe
[Tue Sep 18 23:23:41 2001] [error] [client 217.136.82.39] File does not exist: e:/c/winnt/system32/cmd.exe
[Tue Sep 18 23:23:41 2001] [error] [client 217.136.82.39] File does not exist: e:/d/winnt/system32/cmd.exe
[Tue Sep 18 23:23:42 2001] [error] [client 217.136.82.39] File does not exist: e:/scripts/..%5c/winnt/system32/cmd.exe
[Tue Sep 18 23:23:51 2001] [error] [client 217.136.82.39] File does not exist: e:/_vti_bin/..%5c/..%5c/..%5c/winnt/system32/cmd.exe
[Tue Sep 18 23:23:51 2001] [error] [client 217.136.82.39] File does not exist: e:/_mem_bin/..%5c/..%5c/..%5c/winnt/system32/cmd.exe
[Tue Sep 18 23:23:52 2001] [error] [client 217.136.82.39] Filename is not valid: e:/msadc/..%5c/..%5c/..%5c/..á/..á/..á/winnt/system32/cmd.exe
[Tue Sep 18 23:23:52 2001] [error] [client 217.136.82.39] Filename is not valid: e:/scripts/..á/winnt/system32/cmd.exe
[Tue Sep 18 23:23:53 2001] [error] [client 217.136.82.39] File does not exist: e:/scripts/..à¯/winnt/system32/cmd.exe
[Tue Sep 18 23:23:53 2001] [error] [client 217.136.82.39] File does not exist: e:/scripts/..áœ/winnt/system32/cmd.exe
[Tue Sep 18 23:23:54 2001] [error] [client 217.136.82.39] File does not exist: e:/scripts/..%5c/winnt/system32/cmd.exe
[Tue Sep 18 23:23:54 2001] [error] [client 217.136.82.39] File does not exist: e:/scripts/..%2f/winnt/system32/cmd.exe
[Tue Sep 18 23:24:13 2001] [error] [client 217.136.64.212] File does not exist: e:/scripts/root.exe
[Tue Sep 18 23:24:14 2001] [error] [client 217.136.64.212] File does not exist: e:/msadc/root.exe
[Tue Sep 18 23:24:15 2001] [error] [client 217.136.64.212] File does not exist: e:/c/winnt/system32/cmd.exe
[Tue Sep 18 23:24:16 2001] [error] [client 217.136.64.212] File does not exist: e:/d/winnt/system32/cmd.exe
[Tue Sep 18 23:24:20 2001] [error] [client 217.136.64.212] File does not exist: e:/scripts/..%5c/winnt/system32/cmd.exe
[Tue Sep 18 23:24:21 2001] [error] [client 217.136.64.212] File does not exist: e:/_vti_bin/..%5c/..%5c/..%5c/winnt/system32/cmd.exe
[Tue Sep 18 23:24:22 2001] [error] [client 217.136.64.212] File does not exist: e:/_mem_bin/..%5c/..%5c/..%5c/winnt/system32/cmd.exe
[Tue Sep 18 23:24:23 2001] [error] [client 217.136.64.212] Filename is not valid: e:/msadc/..%5c/..%5c/..%5c/..á/..á/..á/winnt/system32/cmd.exe
[Tue Sep 18 23:24:24 2001] [error] [client 217.136.64.212] Filename is not valid: e:/scripts/..á/winnt/system32/cmd.exe
[Tue Sep 18 23:24:29 2001] [error] [client 217.136.64.212] File does not exist: e:/scripts/..à¯/winnt/system32/cmd.exe
[Tue Sep 18 23:24:30 2001] [error] [client 217.136.64.212] File does not exist: e:/scripts/..áœ/winnt/system32/cmd.exe
[Tue Sep 18 23:24:33 2001] [error] [client 217.136.64.212] File does not exist: e:/scripts/..%5c/winnt/system32/cmd.exe
[Tue Sep 18 23:24:33 2001] [error] [client 217.136.64.212] File does not exist: e:/scripts/..%2f/winnt/system32/cmd.exe
[Tue Sep 18 23:33:18 2001] [error] [client 217.136.40.204] File does not exist: e:/scripts/root.exe
[Tue Sep 18 23:33:19 2001] [error] [client 217.136.40.204] File does not exist: e:/msadc/root.exe

 

[rycamor]

Yes, this is just the latest IIS worm. Since this morning I have had over 3500 attmempts in my Apache/Unix machine, and that's just on my home DSL connection!

There's a link on

http://www.Slashdot.org

about it right now.

This worm aparently bundles together several known vulnerabilities in IIS. When it gains control of a Windows webserver, it then starts attaching a file called "readme.eml" to every web page served. Those browsing these sites with IE might actually download and execute this file without even knowing. It then (AFAIK)writes some changes to the registry, and takes control of Outlook, emailing viruses to others.

I don't know any more at the moment, but it looks pretty bad. Mail servers and networks are crashing all over the place.

 

[RhythmAce]

HOLY SMOKES!!

After reading this thread, I checked my error log and found the same thing. I was going to list all his IP addresses but there were too many. I noticed that he started at 6:43 this morning and was still running up until I checked the log. I closed it and just reopened it and its still adding the same stuff. I'm gonna shut down until I can think of a way to catch the little putz. BBL

 

[Ganton]

You can rid yourself of these annoying entries with the following lines in your apache config file:

At the VERY top:
SetEnvIfNoCase Request_URI MSADC attack_indicator
SetEnvIfNoCase Request_URI SCRIPTS attack_indicator
SetEnvIfNoCase Request_URI VTI_BIN attack_indicator
SetEnvIfNoCase Request_URI MEM_BIN attack_indicator
SetEnvIfNoCase Reqeust_URI /.EXE$ attack_indicator
SetEnvIfNoCase Reqeust_URI DEFAULT.IDA attack_indicator

Add to the end of your CustomLog and ErrorLog directives:
env=!attack_indicator

Add to any Directory or VirtualHost directives:
Deny from env=attack_indicator

This also takes care of Code Red attacks!

Hope this helps!

 

[Ganton]

Sorry folks, one thing about my little "fix",

Make sure that all of these directives follow the

AddModule mod_setenvif.c directive.........


and..........My RegEx is a little weak, can anyone tell
us why the .exe entry isn't working ????


TIA
G

 

[RhythmAce]

Thanx Ganton. I was fixin' to give it a try but it looks like it stopped. It was doing that for 15 straight hours. From 6:43 am to 9:57 pm. It doesn't look like he found what he was looking for since I have a linux box but I bet he was using some major bandwidth. I think I'll take you up on your suggestion though, just incase it happens again. Thanks again.

 

[Neutje]

héhé, tnx 4 the great responses!

I wish I also got some great responses to my other post where nobody could help me yet

http://www.tek-tips.com/gviewthread.cfm/lev2/3/lev3/22/pid/65/qid/136124

 

[Ganton]

Just for clarification, these requests are the result of the NIMDA worm/virus, not the efforts of one hacker

 

[RhythmAce]

Hi Ganton,
I tried your fix. I copied and pasted to where the different lines were supposed to go but when I restart httpd, I get an error that says it doesn't understand env=!attack_indicator. Do I need to do a little more than just add the line to the end of the error log directives? By the way, is anybody else having this problem? Mine's been going on for over 50 hours now. I also got an e-mail in my root mail box called README.EML. I think that's the one with the java script attached because I opened it with a text edit and saw what looks like a binary file.

 

[Ganton]

Rhythm:

My bad, that directive will only work with the CustomLog directive. Which is the log entry that handles the access_log.

The only way I can see to get rid of the "File Does Not Exist" entries in the error_log, is to set the LogLevel to crit

This will of course cut the amount of logging you get, and legitimate attempts to get access to non-existent files will not be logged........

I'll keep looking

 

[sarm]

hi,

I to have seen the same in my logs files. My log files are getting very large. Can you delete log files? Are they created new? For example I have error_log , error_log1,
error_log2. Can I delete them also?

thank you

 

[getingrey]

I'm guessing that these entries are an attempt of the worm to compromise......my or the servers....With these entries in our logs does it mean it is trying to enter or has and compromised the system?

 

[RhythmAce]

Yes you can delete anything in the log directory is you want. They are there to help you keep track of your server's activities. What I did was delete everything in the logs directory since the were just about useless and restarted httpd. When you restart apache it recreates all new logs that don't exist.

To answer gettingrey's question, yes, it's trying to call commands and aquire Super User entry and attach something funky to your outgoing e-mail, but unless you have an IIS server, I dont think it can do too much. The only problem I've found so far is that the darn thing just won't go away and slows things down just a bit.

 

[Wullie]

Seems like this worm is everywhere.

I have a lot of strange entries in my files as well.

My server has received calls for certain files roughly 40 or 50 times a second for the last few hours.

Wullie Wullie

http://www.survivorhelp.co.uk