virus attacks / script headers 1

[Tracey]

Hi there

I have a cgi application (.exe) running on apache 1.3 / win nt4

the app has been running happily for a couple of years now, however lately there have been a number of times where many instances of my app have been left hanging, effectively bringing my server to a halt.

I looked thru my error and access logs, and found entries that looked suspect, i have since been told that it is that friend of M$, nimda, trying to attack my machine. I was given some entries to put into httpd.conf, which i did yesterday. these were:

redirect /scripts [URL unfurl="true"]http://stoptheviruscold.invalid[/URL]
redirect /c [URL unfurl="true"]http://stoptheviruscold.invalid[/URL]
redirect /d [URL unfurl="true"]http://stoptheviruscold.invalid[/URL]
redirect /_mem_bin [URL unfurl="true"]http://stoptheviruscold.invalid[/URL]
redirect /msadc [URL unfurl="true"]http://stoptheviruscold.invalid[/URL]
RedirectMatch (.*)\cmd.exe$ [URL unfurl="true"]http://stoptheviruscold.invalid[/URL]

However, the multiple frozen instances occurred again this morning, and on viewing the logs i find many similar entries:

error.log

[Mon Aug 12 17:16:32 2002] [error] [client 65.40.203.33] Client sent malformed Host header
[Mon Aug 12 17:43:36 2002] [error] [client 172.181.115.2] Client sent malformed Host header
[Mon Aug 12 20:00:19 2002] [error] [client 210.187.26.229] File does not exist: c:/apache/htdocs/msadc/root.exe
[Mon Aug 12 20:07:53 2002] [error] [client 210.187.26.229] File does not exist: c:/apache/htdocs/msadc/root.exe
[Mon Aug 12 20:11:49 2002] [error] [client 211.75.225.46] Client sent malformed Host header
[Mon Aug 12 21:34:46 2002] [error] [client 210.12.211.102] File does not exist: c:/apache/htdocs/msadc/root.exe
[Tue Aug 13 01:05:41 2002] [error] [client 210.3.177.179] File does not exist: c:/apache/htdocs/msadc/root.exe
[Tue Aug 13 07:07:29 2002] [error] [client 210.54.214.197] File does not exist: c:/apache/htdocs/msadc/root.exe
[Tue Aug 13 10:10:07 2002] [error] [client 80.24.228.251] Client sent malformed Host header
[Tue Aug 13 11:30:18 2002] [error] [client 210.54.214.197] File does not exist: c:/apache/htdocs/msadc/root.exe
[Tue Aug 13 11:41:39 2002] [error] [client 210.54.202.91] Premature end of script headers: c:/apache/cgi-bin/etime.exe
[Tue Aug 13 11:41:46 2002] [error] [client 210.54.202.91] Premature end of script headers: c:/apache/cgi-bin/etime.exe
[Tue Aug 13 11:41:51 2002] [error] [client 210.54.202.91] Premature end of script headers: c:/apache/cgi-bin/etime.exe

etime.exe is my app. I am assuming the "premature" errors are caused somehow by the attacks. Am I right? (point to note that this error only seems to occur after the "attacks" - once the processes have been killed off all returns to normal, and etime runs as expected.

corresponding access entries include:

user33.net518.tx.sprint-hsd.net - - [12/Aug/2002:17:16:32 +1200] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 400 324

dnskbi - - [12/Aug/2002:20:00:19 +1200] "GET /scripts/root.exe?/c+dir HTTP/1.0" 302 299

mokey.intelligroup.co.nz - - [13/Aug/2002:11:30:18 +1200] "GET /scripts/root.exe?/c+dir HTTP/1.0" 302 299
mokey.intelligroup.co.nz - - [13/Aug/2002:11:30:19 +1200] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 280
mokey.intelligroup.co.nz - - [13/Aug/2002:11:30:19 +1200] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 313
mokey.intelligroup.co.nz - - [13/Aug/2002:11:30:19 +1200] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 313
mokey.intelligroup.co.nz - - [13/Aug/2002:11:30:19 +1200] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 323
mokey.intelligroup.co.nz - - [13/Aug/2002:11:30:19 +1200] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 290
mokey.intelligroup.co.nz - - [13/Aug/2002:11:30:19 +1200] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 343
mokey.intelligroup.co.nz - - [13/Aug/2002:11:30:19 +1200] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 374
mokey.intelligroup.co.nz - - [13/Aug/2002:11:30:20 +1200] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 324
mokey.intelligroup.co.nz - - [13/Aug/2002:11:30:20 +1200] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303
mokey.intelligroup.co.nz - - [13/Aug/2002:11:30:20 +1200] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 324
mokey.intelligroup.co.nz - - [13/Aug/2002:11:30:20 +1200] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 324
mokey.intelligroup.co.nz - - [13/Aug/2002:11:30:20 +1200] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 287
mokey.intelligroup.co.nz - - [13/Aug/2002:11:30:20 +1200] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 287
mokey.intelligroup.co.nz - - [13/Aug/2002:11:30:21 +1200] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 323
mokey.intelligroup.co.nz - - [13/Aug/2002:11:30:21 +1200] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 323

Can anyone out there give me some advise on preventing this?

 

[Cadwalader]

If your box is a Windows machine, disable the IIS. I had the same thing happen. The entry in the access log with all the NNNNNNNNNNNNNNNNNNNNNNNN is a buffer over flow attack (from what I have been able to find out so far). According to Microsoft, the "Hot-Fix" they have for it is supposed to take care of that...only if you haven't upgraded to Service Pack 3. There is no hot fix for SP3...wich is leaving me wide open. Now for your second group of enrties: check your error log and match the client and time and see if there is an error "file does not exist" because if there is, there is a good chance that the hacker didn't get too far. I hope this helps...If you want I can dig up the URL's to the hotfixes and SP3 stuff so you can read up on it for yourself.

 

[pfouts]

Just for fun, I created a three directories: C, scripts, and msadc (in the location they were looking for) and password protected them. That way, the systems trying to hack into my server hangs at the password dialog.

Does anyone else know of ways to fight back?

 

[sleipnir214]

You can do a whois lookup for the IP address of the attacking machine at ARIN or APNIC.

That should give you the email addresses of the administrators of the network from which the attack originates. You can then email them and let them know about it.


If you have a firewall, you can block that IP address, too. ______________________________________________________________________
TANSTAAFL!

 

[Tracey]

I do have iis disabled.

i notified the administrator of the above attacks.. unfortunately many of them have ip addresses of

"dnskbi"

or

"server"

or

"some rubbish name"

etc etc

 

[pfouts]

The IP address is right there in your error.log

 

[Newposter]

Those are not IP addresses. IP addresses consist of 4 sets of numbers, each between 0 and 255 (e.g., 190.24.253.4). Newposter
"Good judgment comes from experience. Experience comes from bad judgment."

 

[Cadwalader]

Sounds like the host name lookup in is on look for this in the http.conf file:

# HostnameLookups: Log the names of clients or just their IP addresses
# e.g.,

http://www.apache.org

(on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
HostnameLookups on

change the "on" to "off" and that should render IP's in your access.log instead of host names.

 

[Tracey]

oh.. pfouts.. you are right.. silly me.

still dont know if knowing the ip address is going to help... WTF is ARIN or APNIC?

 

[Tracey]

Have turned Hostnamelookups off, but in the error log, the ip addresses are all different anyway. I could be notifying people for the rest of my life.

Does anyone here actually have any idea as to whether these attacks could actually be causing my problem? (frozen processes)

 

[Cadwalader]

LOL....You are going to get lots and lots of listings in the logs. I do and I don't even have a domain name yet! If you got SP3 and you have IIS disabled, then they can't get in. I've tried to hack my own server and couldn't do it. I had 2 buds try to hack me (and these two would make Bill Gates look like a moron, I am serious) and they couldn't get in either. So just because you see that stuff doesn't mean that anything was actually accomplished. I was worried about it all last week...but they just haven't figured out how to get in...yet. If you look at the times and client names in the access.log, and compare them to the error.log, you will see "file does not exist" where they tried to "GET C:\WINNT\System32\cmd.exe" even the "GET default.ida%NNNN..." is going to show up as "Client sent malformed header" I don't think that means anything because of the SP3 and all that...I haven't foudn any viruses, extra .bat files or bo2k.exe or anything. I think it's jsut teenage, zit covered nerds (like I was) sitting in their bedrooms late at night and guessing IP addresses and seeing what they can get into, ya know?

...got to...the coffee's done....let me know if you have any other questions, but don't go solely on my advice, please! I am new to this. I'm jsut letting you know what's werking fer me...

ttyl
What is your URL? Dig mine @

http://24.164.48.221

(for now..it's a dynamic IP) I am not done with it yet, though.

 

[danielhozac]

Cadwalader:
This is a worm, not someone sitting in their bedroom having fun. The only ones involved are infected IIS servers.
And I don't see why you should upgrade IIS if you have it disabled and if you use Apache? That seems like a waste of space to me.
Tracey:
I've been "attacked" for a couple of months now, and I still haven't experienced any trouble with the worms attacks. The only problem is that the logs fill up pretty quickly, but I solved it by created a cron job to clean the logs every day. On windows you would have to schedule a task though, if you want I could post the code for the log cleaning script (it's in Perl, so you would need Perl to use it). //Daniel

 

[Cadwalader]

Daniel,
Perl? Perl? Oh! yes! I have been fumblin' 'round for a week trying to get "Hello, World!" to print on a web page...I figured out today that i have to GET Perl and config Apache to find it and use it. Untill today, I thought Perl was already there in Apache...duh! What about something that clears the logs, but saves them somewhere else at midnight?
About the Service Pack upgrades, one should get them as soon as they come out to prevent other types of attacks.
Any help would be greatly appreciated!

 

[danielhozac]

Why should you upgrade something that you don't use? That's what I don't get.
Here is the Perl script that I use (tweak it so that it would do what you want):
#!/path/to/perl

opendir(LOGS, "/path/to/logs"
my @files = readdir(LOGS);
closedir(LOGS);
foreach my $file (@files)
{
if ($file =~ m/\.[0-9]$/) # delete old logs
{
unlink "/path/to/logs/$file";
print "Deleted $file.\n";
}
elsif ($file !~ /^\.\.?$/) # skip . and .. and clean the file
{
open(FILE, ">/path/to/logs/$file"
print FILE "";
close(FILE);
print "Cleaned $file.\n";
}
}
This is a very simple script, to run it, just type perl scriptname.pl at a command prompt (or double click it if .pl is associated with the Perl interpreter). //Daniel

 

[Cadwalader]

Thanks! I'll sure as heck give it a shot....I got some code to hammer out first before I forget where I left off. Oh yeah, I suppose I'd have to get perl.exe for win32 systems first, that might help!

Tahnks!