Re: Apache access log
From: RainbowHat (nHiATlE@blSackholeP.mAit.edMu.invalid)Date: 06/11/02
- Next message: Tim Haynes: "Re: ipchains too old?"
- Previous message: RainbowHat: "Re: logfiles"
- In reply to: Nancy Norman: "Apache access log"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: RainbowHat <nHiATlE@blSackholeP.mAit.edMu.invalid> Date: Tue, 11 Jun 2002 07:40:53 +0000 (UTC)
< Nancy Norman
>I'm running apache-1.3.23-11 webserver with redhat 7.3 and I'm
>noticing the following errors in the access log. What is the person
>trying to do?
My snipped logs looks like Nimda and Code Red (/default.ida?NNN...) not
the person but the worm. The Nimda packets originated 66.21.237.146 and
first octet is same as your NNTP posting host. ~9 packets per 2 seconds.
>80.136.26.221 - - [09/Jun/2002:09:08:05 -0400] "GET
>/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.1" 404
>321 "-" "-"
>80.136.26.221 - - [09/Jun/2002:09:08:09 -0400] "GET
>/scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.1" 404
>324 "-" "-"
Above two logs is not original Nimda because "HTTP/1.1" and "dir+c:\".
~2 packets per 5 seconds. Perhaps someone used an another scanning tools
or new variant.
About "promiscuous mode covert channel backdoor", have a look at "Apache -
Is this a virus attempt?" thread "Thu, 30 May 2002 09:18:24 +0000 (UTC)"
<6I8XMJFV5G1W1115H1DFWHEWnHiATlE@blackhole.mit.edu> in this NG.
-- Regards, RainbowHat. To spoof or not to spoof, that is the IPv4 packet. ----+----1----+----2----+----3----+----4----+----5----+----6----+----7
- Next message: Tim Haynes: "Re: ipchains too old?"
- Previous message: RainbowHat: "Re: logfiles"
- In reply to: Nancy Norman: "Apache access log"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
