Re: Apache error_log

From: jayjwa (jayjwa_at_hotspam.microsoftsux.suk)
Date: 10/15/03 

Date: Wed, 15 Oct 2003 01:05:23 +0000

Jason wrote:
> I was looking around the /var/log directory today and found this
> posted in /apache/error_log. Is some one trying to hack in? These
> errors are reported repeatedly over several days.
>
> [Thu Oct 9 00:40:35 2003] [error] [client 68.80.208.100] File does
> not exist: /var/www/html/scripts/root.exe
> [Thu Oct 9 00:40:35 2003] [error] [client 68.80.208.100] File does
> not exist: /var/www/html/MSADC/root.exe
> [Thu Oct 9 00:40:36 2003] [error] [client 68.80.208.100] File does
> not exist: /var/www/html/c/winnt/system32/cmd.exe
> [Thu Oct 9 00:40:36 2003] [error] [client 68.80.208.100] File does
> not exist: /var/www/html/d/winnt/system32/cmd.exe
> [Thu Oct 9 00:40:36 2003] [error] [client 68.80.208.100] File does
> not exist: /var/www/html/scripts/..%5c../winnt/system32/cmd.exe
> [Thu Oct 9 00:40:36 2003] [error] [client 68.80.208.100] File does
> not exist: /var/www/html/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
> [Thu Oct 9 00:40:36 2003] [error] [client 68.80.208.100] File does
> not exist: /var/www/html/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
> [Thu Oct 9 00:40:36 2003] [error] [client 68.80.208.100] File does
> not exist: /var/www/html/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe
> [Thu Oct 9 00:40:36 2003] [error] [client 68.80.208.100] File does
> not exist: /var/www/html/scripts/..Á../winnt/system32/cmd.exe
> [Thu Oct 9 00:40:37 2003] [error] [client 68.80.208.100] File does
> not exist: /var/www/html/scripts/..À¯../winnt/system32/cmd.exe
> [Thu Oct 9 00:40:37 2003] [error] [client 68.80.208.100] File does
> not exist: /var/www/html/scripts/..Áœ../winnt/system32/cmd.exe
> [Thu Oct 9 00:40:37 2003] [error] [client 68.80.208.100] File does
> not exist: /var/www/html/scripts/..%5c../winnt/system32/cmd.exe
> [Thu Oct 9 00:40:38 2003] [error] [client 68.80.208.100] File does
> not exist: /var/www/html/scripts/..%2f../winnt/system32/cmd.exe
>
> Thanks in advance
> Jason

I answered this same thing in the other security group, we came up with
2 things, 1. It's that worm (I forget it's name, the one that affects
IIS MS webservers), and many people are turning on their infected
machines at the same time each day, thus all the activity at once, and
2. Wide-spread distrobution of the code for the exploit that does this
(I posted the code in the other thread) .

I tend to think it's #2, but a couple of things trouble me; it's from
many domains and IP's, it's non-intellegent (meaning that it's not a
Script-Kiddie , or if it is, he's REALLY dumb) because simply moving
your server up to port 443 (adding SSL) will dodge all of it. It may be
a group of people, using one set of exploits, that is just randomly
scanning the 'Net for ALL answering webservers, and when they find one,
it sends the code you see. Most likely the results of this is logged by
the script that these people (or even person?) are using for later use
by the person that started the script for some further exploitation. I
remember something called "Grimes Ping" which did the same type thing,
but for FTP servers....It would run by itself all night, scanning for
FTP servers, then testing their vuleralbility, in this case to both R/W
(for warez), and once found, would make a log of it for the person. Then
the person goes to the spot already mapped out and knows for a fact he
can exploit it. Sounds a bit like this huh???
I had my logs plastered with it about a week ago, and tried to track it,
but it was coming from seemingly harmless places- just from anywhere. I
had previously thought "proxy servers" but now I don't know. It can't do
jack against Apache, it's just annoying. So move up to 443 and block 80
with your firewall until we think of something, if it bothers you like
it did me.
The exploit code will dump files (the example I saw at least) from a
directory (like dir) using the now-famous dot-dot directory transversal
../../../, to feed cmd.exe a command. Of course, there's lots of
versions of this too, this example is just one I saw. There's even one
for nsiislog.dll in /scripts/ too.
Just for fun, I made a scripts directory on my server, and put in it a
nasty error message for anyone the tries to access the directory, since
I don't link to it, it must be req. directly, by someone that is trying
to monkey around.

Check CERT, these are just my guesses based on my expierence running a
server on the Internet, they may have more, or something totally different. 

-- 
-=-=-=-=-=-=-=-=-=-=-=The New Atr2.Ath.Cx=-=-=-=-=-=-=-=-=-=-=
- jayjwa     PGPKey OnSite / CA OnSite / Now w/SSL ONLY
4 Contact: jayjwa@HotSpam.com   4 All:GET/cgi-bin/ping-jay.cgi
4 Spammers: listme@listme.dsbl.org         4 Clowns: /dev/null
4 Script Kiddies: Anything in /scripts/
--
Was I helpful?:  https://atr2.ath.cx/papers/affero.php
--
=-=-=-=-=-=-=-=Linux Tough.Powered By Slackware=-=-=-=-=-=-=-=

Relevant Pages

  • Re: App works well on Windows 2000 Server but not Windows Server 2
    ... View source gives me the following (where <server name> is the name of the ... <SCRIPT LANGUAGE="javascript"> ... function loaddoc() { ... Thanks, Jason. ...
    (microsoft.public.inetserver.iis)
  • Re: Please Wait While Page Loads....
    ... "Jason ." ... It seems that the server side script is being ... > then I display the page. ...
    (microsoft.public.inetserver.asp.general)
  • Re: Same Internal Server Error from last two days
    ... I am trying to run a Hello World Perl Script in Apache 2.2. ... But its constantly giving me Internal Server Error.The script ... # have to place corresponding `LoadModule' lines at this location so the ...
    (perl.beginners)
  • Re: Same Internal Server Error from last two days
    ... I am trying to run a Hello World Perl Script in Apache 2.2. ... But its constantly giving me Internal Server Error.The script Runs perfectly fine from the command prompt. ... # This is the main Apache HTTP server configuration file. ... LoadModule actions_module modules/mod_actions.so ...
    (perl.beginners)
  • Same Internal Server Error from last two days
    ... I am trying to run a Hello World Perl Script in Apache 2.2. ... But its constantly giving me Internal Server Error.The script ... # have to place corresponding `LoadModule' lines at this location so the ...
    (perl.beginners)
Loading