Re: nimbda and other apache attacks

From: Peter H. Lemieux (phl@cyways.com)
Date: 10/25/01


Message-ID: <3BD84D48.C8B2D558@cyways.com>
Date: Thu, 25 Oct 2001 13:35:04 -0400
From: "Peter H. Lemieux" <phl@cyways.com>
To: Brian Clifton <brian@omegadm.co.uk>
Subject: Re: nimbda and other apache attacks


> The thing I haven't figured, is why Nimbda attacks "cmd.exe" are being
> logged in both httpd_log and error_log files? I would have thought
> apache would put all this into error_log??

The infected machine does a "GET ...cmd.exe..." which, like any request,
gets logged to TransferLog. Then the "file not found" error that's
generated is logged to ErrorLog. This is Apache's normal behavior when
it receives a request for a file it can't return.

> However, the issue is that I have a number of http_log and error_log
> files and all require this setup (plus combinations of other attacks)
> and are also all being rotated with logrotate - starts to get messy!

To filter your logs, you'll want to use SetEnvIf to identify attacks,
then use a CustomLog statement to redirect the log entries somewhere
else. Something like [not guaranteed :)]

SetEnvIf Request_URI "cmd\.exe" ATTACK
SetEnvIf Request_URI "root\.exe" ATTACK
CustomLog /path/to/attack.log common env=ATTACK
CustomLog /path/to/transfer.log common env=!ATTACK

This should redirect any GETs that include requests for either cmd.exe
or root.exe to attack.log while sending all normal requests to
transfer.log (both in the "common" log format). You might want to
construct similar redirections for ErrorLog. You'll obviously need one
of these specifications for any IP-based virtual host with a unique log
that you want to filter. ("Name" virtual hosts generally won't see any
attacks since the worm uses IP addresses, not virtual hostnames.) This
will keep the attacks out of your normal logs.

If you're counting infection attempts, you'll still have the problem of
handling multiple requests from the same infected host. Each host makes
at least two requests per attempt and often makes multiple attempts over
a period of days. Some strains of the virus seem very insistent. I have
some entries where the same host tried dozens of times over three or
four days.

I find the page http://httpd.apache.org/docs/mod/directives.html a
useful item to keep in my bookmarks. Tough reading, though!

Peter



Relevant Pages

  • Re: [Full-disclosure] Google / GMail bug, all accounts vulnerable
    ... influence a large number of users to make requests which disrupt, ... Since the favicon.ico object, for some reason, influences the account ... attacks, frightening, and how would they be prevented? ... Google / GMail case. ...
    (Full-Disclosure)
  • Re: [Full-disclosure] XSS + XSRF/CSRF...
    ... XSS/CSRF attacks. ... Keep XSS vulns to minimum (i.e.: filter all user input that gets ... Tokenize all requests ... The webapp correctly tokenizes the change-password and change-email ...
    (Full-Disclosure)
  • RE: How to monitor encrypted connections...
    ... that protect the application/server for unauthorized requests, ... when operating in active mode (preventing attacks). ... the sensor can automatically set some ...
    (Focus-IDS)
  • Re: web site hammering
    ... kinds of attacks while they're in-process and defend against them. ... If we get 10 requests per-second for the same page from the same IP, ... > attacker's IP into IIS IP restriction list: ... > ISP about this incident, ask them to block the attacker's IP at ISP ...
    (microsoft.public.inetserver.iis)
  • Re: Limit the number of erroneous logins of root from the same IP
    ... After the limit that IP can not try to login anymore. ... be careful about reacting to spoof attacks. ... I've seen idiots trying to spoof login attempts from ... It offered three options - add a host reject route (man ...
    (alt.os.linux.redhat)