Re: Apache logs

From: Brad (public120901@linmiri.ath.cx)
Date: 12/13/01


From: public120901@linmiri.ath.cx (Brad)
Date: Thu, 13 Dec 2001 09:57:23 GMT

On Sat, 08 Dec 2001 11:56:11 +0100, Tim Dijkstra wrote:
: I've got a box at home running apache, since a few weeks now. I noticed
: some strange things in the apache logs:
:
: 207.33.111.32 - - [02/Dec/2001:11:04:45 +0100]
: "HEAD%00/%20HTTP/1.0%0D%0A%0D%0AAccept%3A%20nyomlwiklafqwzlxzna/../../i
: ndex.html%3fcsqwfwfvxopabeg=/../cvpjwbsmxakqxlgjhgxiounradpisocmzbmlvqr
: awwuaqgqxzhqjbmxi
: <knip, goes on a while>
: auaeshxlnhxicvcykuwplrabgzrnoht/.././%50%44%47_%43%41%52%54/./ HTTP/1.0"
: 501 1807

Looks like the HTTP request was url-encoded[1] to try and slip past any
IDS[2] that might get in its way, or to obfuscate the sender's intentions,
or maybe just for the hell of it. Whatever the reason, the above decodes
to:

HEAD&/ HTTP/1.0\r\n
\r\n
Accept: nyomlwiklafqwzlxzna/../../index.html?csqwfwfvxopabeg=/../cvpjwbsmx
[my linebreak]
akqxlgjhgxiounradpisocmzbmlvqrawwuaqgqxzhqjbmxi
[your snip]
auaeshxlnhxicvcykuwplrabgzrnoht.././PDG_CART/./ HTTP/1.0

: I suppose someone is trying to do something nasty here...But a think
: he/she didn't succeed.

Well, PDG_CART is something one might normally see in one's logs if one was
running PDG Shopping Cart software[3]. This, however, looks like a
specially crafted HTTP request to somehow exploit a server believed to be
running this software, presumably by gaining unauthorized access to some
directory named "PDG_CART". A quick Google search[4] indicates that indeed
this particular package doesn't have a stellar security record,
particularly when it comes to keeping certain directories safe, and is
targeted by a number of webserver vulnerability scanners.

: Now the question is; what should I do?

When in panic, when in doubt, run in circles, scream and shout!

: Report it somewhere?

The source IP belongs to Verio[5], and traces to their Mountain View, CA
facility. You could report it to them.

Or, you could bring that IP up in a browser and be taken to the homepage of
Sygate Technologies[6], who combine the best of Seagate and Sybase (?!) by
offering a variety of port-scanning services through their website. I
don't, however, see any mention of scanning for vulnerabilities in specific
CGI programs. You may want to read through their site more thoroughly than
I did, or ask them what this is all about, especially if you don't recall
having ever requested such a scan from them.

[1] <URL:http://i-technica.com/whitestuff/urlencodechart.html>
[2] <URL:http://www.sans.org/infosecFAQ/intrusion/anti-ids.htm>
[3] <URL:http://www.pdgsoft.com/cart.htm>
[4] <URL:http://www.google.com/search?q=PDG_CART+vulnerable>
[5] <URL:http://www.arin.net/cgi-bin/whois.pl?queryinput=207.33.111.32>
[6] <URL:http://scan.sygatetech.com/>

Regards, Brad.

-- 
<>  "If you think the bottom's fallen out of your world, drink some
<>   Newcastle Brown Ale and have the world fall out of your bottom."
<>   --(seen on a bathroom wall)