You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Issa Mbodji <is...@yahoo.com> on 2003/06/22 04:57:41 UTC
[users@httpd] My Apache Access Log
Hello:
I am running the Apache web server at home (just for
testing purposes). I do not even has a web site. I am
running localhost. I was surprised to see today when I
opened the log access file some very strange messages
like the one below:
68.50.3.144 - - [21/Jun/2003:22:49:07 -0400] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 404 309
or this one
68.50.52.117 - - [16/Jun/2003:17:25:57 -0400] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 322
I really do not understand these messages and to me it
seems that I am under attack.
Does anyone knows what this could mean? and probably
if it is an attack, how do I stop it.
I am running windows XP Professional Edition.
Thanks. -Mame Mbodji
__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] My Apache Access Log
Posted by Issa Mbodji <is...@yahoo.com>.
Thanks, I will try it.
Jeff Cohen <su...@gej-it.com> wrote:Next time plain text please.
Add these lines and it will log any requests into a different log file.
SetEnvIfNoCase Request_URI "default\.ida?|root\.|cmd\.exe" is_attack
CustomLog logs/access.log combined env=!is_attack
CustomLog logs/attack.log combined env=is_attack
All the best,
Jeff Cohen
Support@GEJ-IT.com
Tel. (416) 917-2324
www.GEJ-IT.com
GEJ-IT Networks!
-----Original Message-----
From: Issa Mbodji [mailto:issambodji@yahoo.com]
Sent: Sunday, June 22, 2003 10:35 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] My Apache Access Log
Thanks for the clarification. But my other question then is if there is a
way for me to stop these messages from showing in my log file. It is good to
know that there is no harm or Apache users, but it will be great if I find a
way to stop it.
Thanks,
Tim Wort wrote:
The two log entries you mentioned are from nimda and code red worms (not
virus), they infect unpatched IIS (Microsoft's Internet Information
Server) web servers but not apache. Once a IIS webserver in infected the
worm attempts to connect to other IP address on port 80 looking for
another server to infect. It isn't a problem for apache users other than
the noise in your log files.
The worms are well known, the servers (IIS) are patchable it's to bad that
so many Microsoft users either do not know they have IIS running or are to
lazy to clean up their systems and patch or just don't have enough
knowledge to do something about it or in most cases arn't even aware they
are infected.
I would go on but then the nine out of ten Microsoft users that aren't
knowlegeable would take exception and think this is just a flame, I don't
have time (for them). I think your log files speak for themselves.
On Sun, 22 Jun 2003, Mac Serve wrote:
> What is a "NimdA@" virus and what is a "IIS server"? Never herd of them.
>
> - Mike
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
= Inkling Research Inc. =
= Tim.Wort@InklingResearch.com =
= Tim.Wort@pobox.com =
= =
= Sun Certified Security =
= Administrator =
= =
= Eschew Obfuscation =
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Mame Issa Mbodji
3201 Weeping Willow Ct # 33
Silver Spring, MD , 20906
Tel. (301) 603-0847
e-mail: issambodji@yahoo.com
---------------------------------
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
RE: [users@httpd] My Apache Access Log
Posted by Jeff Cohen <su...@gej-it.com>.
Next time plain text please.
Add these lines and it will log any requests into a different log file.
SetEnvIfNoCase Request_URI "default\.ida?|root\.|cmd\.exe" is_attack
CustomLog logs/access.log combined env=!is_attack
CustomLog logs/attack.log combined env=is_attack
All the best,
Jeff Cohen
Support@GEJ-IT.com
Tel. (416) 917-2324
www.GEJ-IT.com
GEJ-IT Networks!
-----Original Message-----
From: Issa Mbodji [mailto:issambodji@yahoo.com]
Sent: Sunday, June 22, 2003 10:35 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] My Apache Access Log
Thanks for the clarification. But my other question then is if there is a
way for me to stop these messages from showing in my log file. It is good to
know that there is no harm or Apache users, but it will be great if I find a
way to stop it.
Thanks,
Tim Wort <ti...@pobox.com> wrote:
The two log entries you mentioned are from nimda and code red worms (not
virus), they infect unpatched IIS (Microsoft's Internet Information
Server) web servers but not apache. Once a IIS webserver in infected the
worm attempts to connect to other IP address on port 80 looking for
another server to infect. It isn't a problem for apache users other than
the noise in your log files.
The worms are well known, the servers (IIS) are patchable it's to bad that
so many Microsoft users either do not know they have IIS running or are to
lazy to clean up their systems and patch or just don't have enough
knowledge to do something about it or in most cases arn't even aware they
are infected.
I would go on but then the nine out of ten Microsoft users that aren't
knowlegeable would take exception and think this is just a flame, I don't
have time (for them). I think your log files speak for themselves.
On Sun, 22 Jun 2003, Mac Serve wrote:
> What is a "NimdA@" virus and what is a "IIS server"? Never herd of them.
>
> - Mike
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
= Inkling Research Inc. =
= Tim.Wort@InklingResearch.com =
= Tim.Wort@pobox.com =
= =
= Sun Certified Security =
= Administrator =
= =
= Eschew Obfuscation =
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] My Apache Access Log
Posted by Issa Mbodji <is...@yahoo.com>.
Thanks for the clarification. But my other question then is if there is a way for me to stop these messages from showing in my log file. It is good to know that there is no harm or Apache users, but it will be great if I find a way to stop it.
Thanks,
Tim Wort <ti...@pobox.com> wrote:
The two log entries you mentioned are from nimda and code red worms (not
virus), they infect unpatched IIS (Microsoft's Internet Information
Server) web servers but not apache. Once a IIS webserver in infected the
worm attempts to connect to other IP address on port 80 looking for
another server to infect. It isn't a problem for apache users other than
the noise in your log files.
The worms are well known, the servers (IIS) are patchable it's to bad that
so many Microsoft users either do not know they have IIS running or are to
lazy to clean up their systems and patch or just don't have enough
knowledge to do something about it or in most cases arn't even aware they
are infected.
I would go on but then the nine out of ten Microsoft users that aren't
knowlegeable would take exception and think this is just a flame, I don't
have time (for them). I think your log files speak for themselves.
On Sun, 22 Jun 2003, Mac Serve wrote:
> What is a "NimdA@" virus and what is a "IIS server"? Never herd of them.
>
> - Mike
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
= Inkling Research Inc. =
= Tim.Wort@InklingResearch.com =
= Tim.Wort@pobox.com =
= =
= Sun Certified Security =
= Administrator =
= =
= Eschew Obfuscation =
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
Re: [users@httpd] My Apache Access Log
Posted by Tim Wort <ti...@pobox.com>.
The two log entries you mentioned are from nimda and code red worms (not
virus), they infect unpatched IIS (Microsoft's Internet Information
Server) web servers but not apache. Once a IIS webserver in infected the
worm attempts to connect to other IP address on port 80 looking for
another server to infect. It isn't a problem for apache users other than
the noise in your log files.
The worms are well known, the servers (IIS) are patchable it's to bad that
so many Microsoft users either do not know they have IIS running or are to
lazy to clean up their systems and patch or just don't have enough
knowledge to do something about it or in most cases arn't even aware they
are infected.
I would go on but then the nine out of ten Microsoft users that aren't
knowlegeable would take exception and think this is just a flame, I don't
have time (for them). I think your log files speak for themselves.
On Sun, 22 Jun 2003, Mac Serve wrote:
> What is a "NimdA@" virus and what is a "IIS server"? Never herd of them.
>
> - Mike
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
= Inkling Research Inc. =
= Tim.Wort@InklingResearch.com =
= Tim.Wort@pobox.com =
= =
= Sun Certified Security =
= Administrator =
= =
= Eschew Obfuscation =
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] My Apache Access Log
Posted by Mac Serve <ma...@ns.sympatico.ca>.
What is a "NimdA@" virus and what is a "IIS server"? Never herd of them.
- Mike
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] My Apache Access Log
Posted by Jeff Cohen <su...@gej-it.com>.
Check the archives of this list, this question was asked million times
already.
It means that a NimdA@ virus was trying to infect your IIS server, but you
do not have an IIS server then there's nothing to be worried about. :-)
All the best,
Jeff Cohen
Support@GEJ-IT.com
Tel. (416) 917-2324
www.GEJ-IT.com
GEJ-IT Networks!
> -----Original Message-----
> From: Issa Mbodji [mailto:issambodji@yahoo.com]
> Sent: Saturday, June 21, 2003 10:58 PM
> To: users@httpd.apache.org
> Cc: mmbodji@umuc.edu
> Subject: [users@httpd] My Apache Access Log
>
> Hello:
>
> I am running the Apache web server at home (just for
> testing purposes). I do not even has a web site. I am
> running localhost. I was surprised to see today when I
> opened the log access file some very strange messages
> like the one below:
>
> 68.50.3.144 - - [21/Jun/2003:22:49:07 -0400] "GET
> /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u
> 7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%
> u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
> HTTP/1.0" 404 309
>
> or this one
>
> 68.50.52.117 - - [16/Jun/2003:17:25:57 -0400] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 322
>
> I really do not understand these messages and to me it
> seems that I am under attack.
>
> Does anyone knows what this could mean? and probably
> if it is an attack, how do I stop it.
>
> I am running windows XP Professional Edition.
>
> Thanks. -Mame Mbodji
>
> __________________________________
> Do you Yahoo!?
> SBC Yahoo! DSL - Now only $29.95 per month!
> http://sbc.yahoo.com
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org