You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Tom Diehl <td...@rogueind.com> on 2003/07/01 16:59:55 UTC

[users@httpd] Re: stopping hackers

On Tue, 1 Jul 2003, Sam Carleton wrote:

> I discovered my apache web server was down this morning.  When I
> looked at the error log, I discover this:
> 
> 
> [Mon Jun 30 23:32:56 2003] [error] [client 65.27.114.84] File does not exist: /usr/local/apache/htdocs/MSADC/root.exe
> [Mon Jun 30 23:33:00 2003] [error] [client 65.27.114.84] File does not exist: /usr/local/apache/htdocs/c/winnt/system32/cmd.exe
> [Mon Jun 30 23:33:04 2003] [error] [client 65.27.114.84] File does not exist: /usr/local/apache/htdocs/d/winnt/system32/cmd.exe
> [Mon Jun 30 23:33:05 2003] [error] [client 65.27.114.84] File does not exist: /usr/local/apache/htdocs/scripts/..%5c../winnt/system32/cmd.exe
> [Mon Jun 30 23:33:07 2003] [error] [client 65.27.114.84] File does not exist: /usr/local/apache/htdocs/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
> [Mon Jun 30 23:33:09 2003] [error] [client 65.27.114.84] File does not exist: /usr/local/apache/htdocs/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
> [Mon Jun 30 23:33:10 2003] [error] [client 65.27.114.84] File does not exist: /usr/local/apache/htdocs/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe
> [Mon Jun 30 23:33:12 2003] [error] [client 65.27.114.84] File does not exist: /usr/local/apache/htdocs/scripts/..Á../winnt/system32/cmd.exe
> [Mon Jun 30 23:33:15 2003] [error] [client 65.27.114.84] File does not exist: /usr/local/apache/htdocs/scripts/..À¯../winnt/system32/cmd.exe
> [Mon Jun 30 23:33:19 2003] [error] [client 65.27.114.84] File does not exist: /usr/local/apache/htdocs/scripts/..Á../winnt/system32/cmd.exe
> [Mon Jun 30 23:33:30 2003] [error] [client 65.27.114.84] File does not exist: /usr/local/apache/htdocs/scripts/..%5c../winnt/system32/cmd.exe
> [Mon Jun 30 23:33:32 2003] [error] [client 65.27.114.84] File does not exist: /usr/local/apache/htdocs/scripts/..%2f../winnt/system32/cmd.exe
> [Mon Jun 30 23:58:30 2003] [error] [client 216.39.50.54] File does not exist: /usr/local/apache/htdocs/robots.txt
> [Tue Jul  1 00:00:02 2003] [warn] child process 8197 still did not exit, sending a SIGTERM
> [Tue Jul  1 00:00:06 2003] [error] child process 8197 still did not exit, sending a SIGKILL
> [Tue Jul  1 00:00:06 2003] [notice] caught SIGTERM, shutting down
> 
> My two qestions are:
> 
> 1: what is the whole child process 8197 about?

Not sure.

> 2: How should I configure Apache at to not allow this type of an
> attack?

These are winbloze viruses like nimda and code red trying to exploite your
M$ IIS server. Since you do not appear to have one of them you just get the
error that the files are not there. Not much you can do about short of blocking
every windoze machine in the world at the firewall. Short of that and if you
have a lot of time on your hands you could start notifying the owners of the
machines that they are infected.

HTH,

-- 
......Tom		Registered Linux User #14522	http://counter.li.org
tdiehl@rogueind.com	My current SpamTrap ------->	mtd123@rogueind.com


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Re: stopping hackers

Posted by Gawain <li...@rticonsulting.com>.

At 12:19 PM -0300 on 7/1/03, netforum.com.br - Mail Host - Listserv wrote:


>You can use WormWall Module. It´s disconnect imediatly when someone try
>attack.
>
>http://www.gknw.com/development/apache/

Or check out EarlyBird. It does a great job of automatically 
notifying sysadmins that their customer's system is trying to attack 
other systems. I've been using it for a couple of years and it works 
great:

<http://www.treachery.net/~jdyson/earlybird/>

Gawain

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Re: stopping hackers

Posted by "netforum.com.br - Mail Host - Listserv" <ne...@netforum.com.br>.

You can use WormWall Module. It´s disconnect imediatly when someone try
attack.

http://www.gknw.com/development/apache/


Mike
----- Original Message -----
From: "Tom Diehl" <td...@rogueind.com>
To: "Apache Mailing LIst" <us...@httpd.apache.org>
Sent: Tuesday, July 01, 2003 11:59
Subject: [users@httpd] Re: stopping hackers


> On Tue, 1 Jul 2003, Sam Carleton wrote:
>
> > I discovered my apache web server was down this morning.  When I
> > looked at the error log, I discover this:
> >
> >
> > [Mon Jun 30 23:32:56 2003] [error] [client 65.27.114.84] File does not
exist: /usr/local/apache/htdocs/MSADC/root.exe
> > [Mon Jun 30 23:33:00 2003] [error] [client 65.27.114.84] File does not
exist: /usr/local/apache/htdocs/c/winnt/system32/cmd.exe
> > [Mon Jun 30 23:33:04 2003] [error] [client 65.27.114.84] File does not
exist: /usr/local/apache/htdocs/d/winnt/system32/cmd.exe
> > [Mon Jun 30 23:33:05 2003] [error] [client 65.27.114.84] File does not
exist: /usr/local/apache/htdocs/scripts/..%5c../winnt/system32/cmd.exe
> > [Mon Jun 30 23:33:07 2003] [error] [client 65.27.114.84] File does not
exist:
/usr/local/apache/htdocs/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd
.exe
> > [Mon Jun 30 23:33:09 2003] [error] [client 65.27.114.84] File does not
exist:
/usr/local/apache/htdocs/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd
.exe
> > [Mon Jun 30 23:33:10 2003] [error] [client 65.27.114.84] File does not
exist:
/usr/local/apache/htdocs/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../wi
nnt/system32/cmd.exe
> > [Mon Jun 30 23:33:12 2003] [error] [client 65.27.114.84] File does not
exist: /usr/local/apache/htdocs/scripts/..Á../winnt/system32/cmd.exe
> > [Mon Jun 30 23:33:15 2003] [error] [client 65.27.114.84] File does not
exist: /usr/local/apache/htdocs/scripts/..À¯../winnt/system32/cmd.exe
> > [Mon Jun 30 23:33:19 2003] [error] [client 65.27.114.84] File does not
exist: /usr/local/apache/htdocs/scripts/..Áo../winnt/system32/cmd.exe
> > [Mon Jun 30 23:33:30 2003] [error] [client 65.27.114.84] File does not
exist: /usr/local/apache/htdocs/scripts/..%5c../winnt/system32/cmd.exe
> > [Mon Jun 30 23:33:32 2003] [error] [client 65.27.114.84] File does not
exist: /usr/local/apache/htdocs/scripts/..%2f../winnt/system32/cmd.exe
> > [Mon Jun 30 23:58:30 2003] [error] [client 216.39.50.54] File does not
exist: /usr/local/apache/htdocs/robots.txt
> > [Tue Jul  1 00:00:02 2003] [warn] child process 8197 still did not exit,
sending a SIGTERM
> > [Tue Jul  1 00:00:06 2003] [error] child process 8197 still did not
exit, sending a SIGKILL
> > [Tue Jul  1 00:00:06 2003] [notice] caught SIGTERM, shutting down
> >
> > My two qestions are:
> >
> > 1: what is the whole child process 8197 about?
>
> Not sure.
>
> > 2: How should I configure Apache at to not allow this type of an
> > attack?
>
> These are winbloze viruses like nimda and code red trying to exploite your
> M$ IIS server. Since you do not appear to have one of them you just get
the
> error that the files are not there. Not much you can do about short of
blocking
> every windoze machine in the world at the firewall. Short of that and if
you
> have a lot of time on your hands you could start notifying the owners of
the
> machines that they are infected.
>
> HTH,
>
> --
> ......Tom Registered Linux User #14522 http://counter.li.org
> tdiehl@rogueind.com My current SpamTrap -------> mtd123@rogueind.com
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

[users@httpd] Re: stopping hackers

Posted by Tom Diehl <td...@rogueind.com>.

On Tue, 1 Jul 2003, Sam Carleton wrote:

> On Tue, Jul 01, 2003 at 10:59:55AM -0400, Tom Diehl wrote:
> > 
> > These are winbloze viruses like nimda and code red trying to exploite your
> > M$ IIS server. Since you do not appear to have one of them you just get the
> > error that the files are not there. Not much you can do about short of blocking
> > every windoze machine in the world at the firewall. Short of that and if you
> > have a lot of time on your hands you could start notifying the owners of the
> > machines that they are infected.
> 
> So how exactly do I go about informing the owner that the machine is
> infected?  I did a reverse lookup on the IP and it is coming from a
> road runner account.  I am assuming that I need to notify Road
> Runner and they will notify the end user?

That is how it is supposed to work but who knows what they will do.

-- 
......Tom		Registered Linux User #14522	http://counter.li.org
tdiehl@rogueind.com	My current SpamTrap ------->	mtd123@rogueind.com


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Re: stopping hackers

Posted by Sam Carleton <sc...@miltonstreet.com>.

On Tue, Jul 01, 2003 at 10:59:55AM -0400, Tom Diehl wrote:
> 
> These are winbloze viruses like nimda and code red trying to exploite your
> M$ IIS server. Since you do not appear to have one of them you just get the
> error that the files are not there. Not much you can do about short of blocking
> every windoze machine in the world at the firewall. Short of that and if you
> have a lot of time on your hands you could start notifying the owners of the
> machines that they are infected.

So how exactly do I go about informing the owner that the machine is
infected?  I did a reverse lookup on the IP and it is coming from a
road runner account.  I am assuming that I need to notify Road
Runner and they will notify the end user?

Sam

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org