Re: Interesting Apache logs

From: Elaine Ransome (elaine@nospamplease.com)
Date: 03/24/02 

From: Elaine Ransome <elaine@nospamplease.com>
Date: Sun, 24 Mar 2002 20:10:54 +0000

I get hundreds of these... well 3-4 a day, or if my little corner of the internet is being picked on, 3-4 every ten minutes...

its IIs exploits, unless you have unpatched IIs running (being Apache logs, I doubt it) don't worry about it

Elaine R.

Brian A Crawford wrote:

> I have included a small series of Apache logs that are quite
> interesting.
> Can someone point me to a site where I can learn the full details of
> what the attacker was trying to achieve.
> I run Apache on Linux. It seems they were scanning for a windows
> vunerability -- to infect with a worm?
>
> Thanks in advance
>
> Brian C.
>
> ------------------------------------------------------------------------------------------------------------------------------------
>
> [Sun Jan 27 18:58:37 2002] [error] [client xxx.222.73.218] File does
> not exist: /var/www/htdocs/scripts/root.exe
> [Sun Jan 27 18:58:47 2002] [error] [client xxx.222.73.218] File does
> not exist: /var/www/htdocs/MSADC/root.exe
> [Sun Jan 27 18:59:02 2002] [error] [client xxx.222.73.218] File does
> not exist: /var/www/htdocs/c/winnt/system32/cmd.exe
> [Sun Jan 27 19:00:42 2002] [error] [client xxx.222.123.236] File does
> not exist: /var/www/htdocs/scripts/root.exe
> [Sun Jan 27 19:00:46 2002] [error] [client xxx.222.123.236] File does
> not exist: /var/www/htdocs/MSADC/root.exe
> [Sun Jan 27 19:00:48 2002] [error] [client xxx.222.123.236] File does
> not exist: /var/www/htdocs/c/winnt/system32/cmd.exe
> [Sun Jan 27 19:00:49 2002] [error] [client xxx.222.123.236] File does
> not exist: /var/www/htdocs/d/winnt/system32/cmd.exe
> [Sun Jan 27 19:01:00 2002] [error] [client xxx.222.123.236] File does
> not exist: /var/www/htdocs/scripts/..%5c../winnt/system32/cmd.exe
> [Sun Jan 27 19:01:01 2002] [error] [client xxx.222.123.236] File does
> not exist:
> /var/www/htdocs/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
>
> [Sun Jan 27 19:53:04 2002] [error] [client xxx.222.123.236] File does
> not exist: /var/www/htdocs/scripts/root.exe
> [Sun Jan 27 19:53:05 2002] [error] [client xxx.222.123.236] File does
> not exist: /var/www/htdocs/MSADC/root.exe
> [Sun Jan 27 19:53:07 2002] [error] [client xxx.222.123.236] File does
> not exist: /var/www/htdocs/c/winnt/system32/cmd.exe
> [Sun Jan 27 19:53:09 2002] [error] [client xxx.222.123.236] File does
> not exist: /var/www/htdocs/d/winnt/system32/cmd.exe
> [Sun Jan 27 19:53:14 2002] [error] [client xxx.222.123.236] File does
> not exist: /var/www/htdocs/scripts/..%5c../winnt/system32/cmd.exe
> [Sun Jan 27 19:53:15 2002] [error] [client xxx.222.123.236] File does
> not exist:
> /var/www/htdocs/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
> [Sun Jan 27 19:53:15 2002] [error] [client xxx.222.123.236] File does
> not exist:
> /var/www/htdocs/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
> [Sun Jan 27 19:53:17 2002] [error] [client xxx.222.123.236] File does
> not exist:
> /var/www/htdocs/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe
> [Sun Jan 27 19:53:19 2002] [error] [client xxx.222.123.236] File does
> not exist: /var/www/htdocs/scripts/..Á../winnt/system32/cmd.exe
> [Sun Jan 27 19:53:21 2002] [error] [client xxx.222.123.236] File does
> not exist: /var/www/htdocs/scripts/..À¯../winnt/system32/cmd.exe
> [Sun Jan 27 19:53:25 2002] [error] [client xxx.222.123.236] File does
> not exist: /var/www/htdocs/scripts/..Á../winnt/system32/cmd.exe
> [Sun Jan 27 19:53:28 2002] [error] [client xxx.222.123.236] File does
> not exist: /var/www/htdocs/scripts/..%5c../winnt/system32/cmd.exe
> [Sun Jan 27 19:53:29 2002] [error] [client xxx.222.123.236] File does
> not exist: /var/www/htdocs/scripts/..%2f../winnt/system32/cmd.exe
>
> -------------------------------------------------------------------------------------------------------------------------------------
>
> [Sat Feb 9 20:52:58 2002] [error] [client BBB.160.15.29] Client sent
> malformed Host header
>
> -------------------------------------------------------------------------------------------------------------------------------------
>
> [Sun Mar 3 20:49:51 2002] [crit] (98)Address already in use:
> make_sock: could not bind to port 80
> [Sun Mar 3 21:20:28 2002] [error] [client xxx.222.6.196] File does
> not exist: /var/www/htdocs/scripts/root.exe
> [Sun Mar 3 21:20:36 2002] [error] [client xxx.222.6.196] File does
> not exist: /var/www/htdocs/MSADC/root.exe
> [Sun Mar 3 21:20:44 2002] [error] [client xxx.222.6.196] File does
> not exist: /var/www/htdocs/c/winnt/system32/cmd.exe
> [Sun Mar 3 21:20:51 2002] [error] [client xxx.222.6.196] File does
> not exist: /var/www/htdocs/d/winnt/system32/cmd.exe
> [Sun Mar 3 21:21:00 2002] [error] [client xxx.222.6.196] File does
> not exist: /var/www/htdocs/scripts/..%5c../winnt/system32/cmd.exe
> [Sun Mar 3 21:21:07 2002] [error] [client xxx.222.6.196] File does
> not exist:
> /var/www/htdocs/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
> [Sun Mar 3 21:21:15 2002] [error] [client xxx.222.6.196] File does
> not exist:
> /var/www/htdocs/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
> [Sun Mar 3 21:21:25 2002] [error] [client xxx.222.6.196] File does
> not exist:
> /var/www/htdocs/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe
>
> -------------------------------------------------------------------------------------------------------------------------------------