Re: Apache access log

From: RainbowHat (nHiATlE@blSackholeP.mAit.edMu.invalid)
Date: 06/11/02


From: RainbowHat <nHiATlE@blSackholeP.mAit.edMu.invalid>
Date: Tue, 11 Jun 2002 07:40:53 +0000 (UTC)


< Nancy Norman

>I'm running apache-1.3.23-11 webserver with redhat 7.3 and I'm
>noticing the following errors in the access log. What is the person
>trying to do?

My snipped logs looks like Nimda and Code Red (/default.ida?NNN...) not
the person but the worm. The Nimda packets originated 66.21.237.146 and
first octet is same as your NNTP posting host. ~9 packets per 2 seconds.

>80.136.26.221 - - [09/Jun/2002:09:08:05 -0400] "GET
>/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.1" 404
>321 "-" "-"
>80.136.26.221 - - [09/Jun/2002:09:08:09 -0400] "GET
>/scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.1" 404
>324 "-" "-"

Above two logs is not original Nimda because "HTTP/1.1" and "dir+c:\".
~2 packets per 5 seconds. Perhaps someone used an another scanning tools
or new variant.

About "promiscuous mode covert channel backdoor", have a look at "Apache -
Is this a virus attempt?" thread "Thu, 30 May 2002 09:18:24 +0000 (UTC)"
<6I8XMJFV5G1W1115H1DFWHEWnHiATlE@blackhole.mit.edu> in this NG.

-- 
Regards, RainbowHat. To spoof or not to spoof, that is the IPv4 packet.
----+----1----+----2----+----3----+----4----+----5----+----6----+----7



Relevant Pages

  • Re: Apache access log
    ... >noticing the following errors in the access log. ... My snipped logs looks like Nimda and Code Red not ... ~9 packets per 2 seconds. ...
    (comp.os.linux.security)
  • Re: Why?
    ... >>> Here is a covert channel proof of concept over Nimda imitated packets. ... >>i have spent a lot of time chasing nimda along with other viruses like ... >>have noticed that the writers have spent a huge amount of time and effort ...
    (comp.os.linux.security)
  • Re: Why?
    ... >>> Here is a covert channel proof of concept over Nimda imitated packets. ... >>i have spent a lot of time chasing nimda along with other viruses like ... >>have noticed that the writers have spent a huge amount of time and effort ...
    (comp.os.linux.security)
  • Re: Black Hole / Sink Hole Routing
    ... > helpfull to drop all packets that contain NIMDA, NACHI, etc ... > Is it possible to do the same action by using IPTABLES? ... You could mark the packets, then use iproute to route them to a dummy ...
    (comp.os.linux.networking)