Re: Apache log entries - hack attempt ?

From: D. Stussy (kd6lvw@bde-arc.ampr.org)
Date: 04/03/03 

From: "D. Stussy" <kd6lvw@bde-arc.ampr.org>
Date: Thu, 03 Apr 2003 21:32:22 GMT

On Thu, 3 Apr 2003, Spam Me! wrote:
> I'm getting lots of suspicious entries in my Apache log, like the following:
>
> 24.114.218.21 - - [02/Apr/2003:21:46:36 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 340 "-" "-"
> 24.114.38.37 - - [02/Apr/2003:21:54:32 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 345 "-" "-"
> ...
>
> The first one looks like trying to force a buffer overflow, the others seem to refer to
> windows stuff which I guess won't do too much on my Linux box.
> Are these the signs of some known virus ?

Yes. Where have you been? These virii have been out for 18+ months now.

> Should I send these to any particular forum, abuse email address or such for
> investigation ?

Not worth the time. However, some people have developed countermeasures that
will kill the infected server - which may be as malicious as the virus itself.
:-)

Quantcast