Hi there
I have a cgi application (.exe) running on apache 1.3 / win nt4
the app has been running happily for a couple of years now, however lately there have been a number of times where many instances of my app have been left hanging, effectively bringing my server to a halt.
I looked thru my error and access logs, and found entries that looked suspect, i have since been told that it is that friend of M$, nimda, trying to attack my machine. I was given some entries to put into httpd.conf, which i did yesterday. these were:
However, the multiple frozen instances occurred again this morning, and on viewing the logs i find many similar entries:
error.log
[Mon Aug 12 17:16:32 2002] [error] [client 65.40.203.33] Client sent malformed Host header
[Mon Aug 12 17:43:36 2002] [error] [client 172.181.115.2] Client sent malformed Host header
[Mon Aug 12 20:00:19 2002] [error] [client 210.187.26.229] File does not exist: c:/apache/htdocs/msadc/root.exe
[Mon Aug 12 20:07:53 2002] [error] [client 210.187.26.229] File does not exist: c:/apache/htdocs/msadc/root.exe
[Mon Aug 12 20:11:49 2002] [error] [client 211.75.225.46] Client sent malformed Host header
[Mon Aug 12 21:34:46 2002] [error] [client 210.12.211.102] File does not exist: c:/apache/htdocs/msadc/root.exe
[Tue Aug 13 01:05:41 2002] [error] [client 210.3.177.179] File does not exist: c:/apache/htdocs/msadc/root.exe
[Tue Aug 13 07:07:29 2002] [error] [client 210.54.214.197] File does not exist: c:/apache/htdocs/msadc/root.exe
[Tue Aug 13 10:10:07 2002] [error] [client 80.24.228.251] Client sent malformed Host header
[Tue Aug 13 11:30:18 2002] [error] [client 210.54.214.197] File does not exist: c:/apache/htdocs/msadc/root.exe
[Tue Aug 13 11:41:39 2002] [error] [client 210.54.202.91] Premature end of script headers: c:/apache/cgi-bin/etime.exe
[Tue Aug 13 11:41:46 2002] [error] [client 210.54.202.91] Premature end of script headers: c:/apache/cgi-bin/etime.exe
[Tue Aug 13 11:41:51 2002] [error] [client 210.54.202.91] Premature end of script headers: c:/apache/cgi-bin/etime.exe
etime.exe is my app. I am assuming the "premature" errors are caused somehow by the attacks. Am I right? (point to note that this error only seems to occur after the "attacks" - once the processes have been killed off all returns to normal, and etime runs as expected.
corresponding access entries include:
Can anyone out there give me some advise on preventing this?
I have a cgi application (.exe) running on apache 1.3 / win nt4
the app has been running happily for a couple of years now, however lately there have been a number of times where many instances of my app have been left hanging, effectively bringing my server to a halt.
I looked thru my error and access logs, and found entries that looked suspect, i have since been told that it is that friend of M$, nimda, trying to attack my machine. I was given some entries to put into httpd.conf, which i did yesterday. these were:
Code:
redirect /scripts [URL unfurl="true"]http://stoptheviruscold.invalid[/URL]
redirect /c [URL unfurl="true"]http://stoptheviruscold.invalid[/URL]
redirect /d [URL unfurl="true"]http://stoptheviruscold.invalid[/URL]
redirect /_mem_bin [URL unfurl="true"]http://stoptheviruscold.invalid[/URL]
redirect /msadc [URL unfurl="true"]http://stoptheviruscold.invalid[/URL]
RedirectMatch (.*)\cmd.exe$ [URL unfurl="true"]http://stoptheviruscold.invalid[/URL]
error.log
[Mon Aug 12 17:16:32 2002] [error] [client 65.40.203.33] Client sent malformed Host header
[Mon Aug 12 17:43:36 2002] [error] [client 172.181.115.2] Client sent malformed Host header
[Mon Aug 12 20:00:19 2002] [error] [client 210.187.26.229] File does not exist: c:/apache/htdocs/msadc/root.exe
[Mon Aug 12 20:07:53 2002] [error] [client 210.187.26.229] File does not exist: c:/apache/htdocs/msadc/root.exe
[Mon Aug 12 20:11:49 2002] [error] [client 211.75.225.46] Client sent malformed Host header
[Mon Aug 12 21:34:46 2002] [error] [client 210.12.211.102] File does not exist: c:/apache/htdocs/msadc/root.exe
[Tue Aug 13 01:05:41 2002] [error] [client 210.3.177.179] File does not exist: c:/apache/htdocs/msadc/root.exe
[Tue Aug 13 07:07:29 2002] [error] [client 210.54.214.197] File does not exist: c:/apache/htdocs/msadc/root.exe
[Tue Aug 13 10:10:07 2002] [error] [client 80.24.228.251] Client sent malformed Host header
[Tue Aug 13 11:30:18 2002] [error] [client 210.54.214.197] File does not exist: c:/apache/htdocs/msadc/root.exe
[Tue Aug 13 11:41:39 2002] [error] [client 210.54.202.91] Premature end of script headers: c:/apache/cgi-bin/etime.exe
[Tue Aug 13 11:41:46 2002] [error] [client 210.54.202.91] Premature end of script headers: c:/apache/cgi-bin/etime.exe
[Tue Aug 13 11:41:51 2002] [error] [client 210.54.202.91] Premature end of script headers: c:/apache/cgi-bin/etime.exe
etime.exe is my app. I am assuming the "premature" errors are caused somehow by the attacks. Am I right? (point to note that this error only seems to occur after the "attacks" - once the processes have been killed off all returns to normal, and etime runs as expected.
corresponding access entries include:
Code:
user33.net518.tx.sprint-hsd.net - - [12/Aug/2002:17:16:32 +1200] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 324
dnskbi - - [12/Aug/2002:20:00:19 +1200] "GET /scripts/root.exe?/c+dir HTTP/1.0" 302 299
mokey.intelligroup.co.nz - - [13/Aug/2002:11:30:18 +1200] "GET /scripts/root.exe?/c+dir HTTP/1.0" 302 299
mokey.intelligroup.co.nz - - [13/Aug/2002:11:30:19 +1200] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 280
mokey.intelligroup.co.nz - - [13/Aug/2002:11:30:19 +1200] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 313
mokey.intelligroup.co.nz - - [13/Aug/2002:11:30:19 +1200] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 313
mokey.intelligroup.co.nz - - [13/Aug/2002:11:30:19 +1200] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 323
mokey.intelligroup.co.nz - - [13/Aug/2002:11:30:19 +1200] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 290
mokey.intelligroup.co.nz - - [13/Aug/2002:11:30:19 +1200] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 343
mokey.intelligroup.co.nz - - [13/Aug/2002:11:30:19 +1200] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 374
mokey.intelligroup.co.nz - - [13/Aug/2002:11:30:20 +1200] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 324
mokey.intelligroup.co.nz - - [13/Aug/2002:11:30:20 +1200] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303
mokey.intelligroup.co.nz - - [13/Aug/2002:11:30:20 +1200] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 324
mokey.intelligroup.co.nz - - [13/Aug/2002:11:30:20 +1200] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 324
mokey.intelligroup.co.nz - - [13/Aug/2002:11:30:20 +1200] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 287
mokey.intelligroup.co.nz - - [13/Aug/2002:11:30:20 +1200] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 287
mokey.intelligroup.co.nz - - [13/Aug/2002:11:30:21 +1200] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 323
mokey.intelligroup.co.nz - - [13/Aug/2002:11:30:21 +1200] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 323