# Am I beeing hacked ??

## JoeW71

Looking trough the Apache2 access log I find several lines wich to me sounds like someone are mistaking my server for a Windows machine..  :Rolling Eyes:  and are either trying to execute code or get access to confidential system info... Are there any other opinions ?

I have cut out the IPs and the exact dates for readability:

```

"GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 369 "-" "$

"GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 369 "-" "$

"GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 360 "-" $

"GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 360 "-" "-"

"GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 370 "-$

"GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 370 "-" "-"

"GET /scripts/root.exe?/c+dir HTTP/1.0" 404 348 "-" "-"

"GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 346 "-" "-"

"GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 356 "-" "-"

"GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 356 "-" "-"

"GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 370 "-" "-"

"GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTT$

"GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTT$

"GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt$

"GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 369 "-" "$

"GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 369 "-" "$

"GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 369 "-" "$

"GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 369 "-" "$

"GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 360 "-" $

"GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 360 "-" "-"

"GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 370 "-$

"GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 370 "-" "-"

"GET /scripts/root.exe?/c+dir HTTP/1.0" 404 348 "-" "-"

"GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 346 "-" "-"

"GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 356 "-" "-"

"GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 356 "-" "-"

```

There are several lines of this at several different occasions, should I be worried ??

Regards

----------

## nasher

worms / scripts that are trying to execute commands so they can 'hack' u.

just update ur apache with security bugfixes etc 

if u can, put it to an other port or close the port from the 'big bad world'   :Smile: 

-update-

https://forums.gentoo.org/viewtopic.php?t=61042&highlight=system32+cmd+exe

----------

## kronon

I get this constantly in my apache logs 2. But so far no one has gotten in. Most scripts think you are using windows any way.

----------

## jaska

I wouldn't be too worried, they are exe files, they dont run in unix environments, atleast not without wine.

----------

## ponds

it looks like someone is scanning all of your IP block on port 80 testing vs a database of known IIS exploits ( directory transversal  attacks ).

You don't really have anything to worry about, just make sure you patch apache ( and all your other servers ) when a vuln hits, because they might one day decide to scan for apache  :Smile:  .

----------

## professorn

Wasn't this one of IIS unicodebugs which made it possible for a attacker to use cmd to diffrent things ?

----------

## M104

It's good for you to check your log files like this!   :Very Happy:   Fortunately, these "attacks" are all for Windows based servers.  You are also going to see "GET whatever.com HTTP/1.0" requests too and those are scr1pt k1ddi3s looking for an open proxy server.  You may also see "OPTIONS / HTTP/1.1" and "SEARCH / HTTP/1.1" requests as well.  Basically, these are coming from scripts that crackers use to look for weak web servers.  As mentioned above, keep your stuff up to date and you don't have to worry.

I've got a couple of hosts (144.137.67.249 comes to mind) that keep sending my server this crap, even though it's clearly not working.   :Laughing: 

----------

## JoeW71

Thanks guys for all the answers, it is always nice to visit these forums when I have a problem. So many people wanting to help, I've almost given up on Googling   :Shocked:  since I installed Gentoo, no matter what's the problem, when I search the forums I find that someone has ideas or tips to fix it.

Once again, thank you   :Very Happy: 

----------

## aroedl

Hello!

If you wanna know if you were hacked:

  emerge chkrootkit

  chkrootkit

Andi

----------

## jief

that reminds me of the first time i checked my apache logs. I didnt know back then was robots.txt was. I got scared shitless, took my webserver offline. Until my friend told me this file is used by crawlers and spiders to get data about your site. I then checked the IPs, most were on the IP-range of google, yahoo, etc.

----------

## GentooBox

A few vira check if it can get cmd.exe (windows commandprompt) from a IIS and/or apache server.

Nimda is a virus that checks for cmd.exe. - i think.

----------

## dvc5

Just a simple tool I use for dropping packets from these infected IP's.

```
emerge iptables

rc-update add iptables default

/etc/init.d/iptables start

iptables -I INPUT -s <insert IP here> -j DROP

iptables-save

/etc/init.d/iptables restart

```

You can repeat the last 3 commands with each IP you want to add to your iptables "DROP" list. To view the list:

```
iptables -L -n
```

or

```
iptables -L
```

to resolve the addresses.

----------

## dreamer

i wrote a little script to block those infected ip's.

Just run it every once in a while and you'll feel beter   :Cool: 

```
#flush CHAIN_BLOCK

iptables -F CHAIN_BLOCK

grep error /var/log/apache2/error_log | cut -d' ' -f8 | cut -d] -f1 >> temp

grep script /var/log/apache2/access_log | cut -d' ' -f1  >> temp

grep exe /var/log/apache2/access_log | cut -d' ' -f1  >> temp

grep dll /var/log/apache2/access_log | cut -d' ' -f1  >> temp

grep exe  /var/log/apache2/ssl_access_log | cut -d' ' -f1  >> temp

 

script_contents=( $(cat temp | sort | uniq) )

 

#remove temp file

rm -rf temp

 

for element in $(seq 0 $((${#script_contents[@]} - 1)))

do

        if [[ ${script_contents[$element]} != 192.168.0* ]]

        then

                iptables -A CHAIN_BLOCK -s "${script_contents[$element]}" -j DROP

        fi

done

```

As you can see, i dedicated a special chain for this, CHAIN_BLOCK. Just put this rule on the first place in your INPUT.

```
-A INPUT -j CHAIN_BLOCK

```

----------

## dvc5

Nice script, I'm gonna try that...

----------

## dreamer

 *lozdvc5 wrote:*   

> Nice script, I'm gonna try that...

 

it's still very basic. Actually i want to rewrite it to ADD ip's ( instead of flushing the chain and adding everything again ).

It should be something like this.

Every time there is a new infected ip to add, it'll add this ip and send a mail to a specified user. This way it'll be more suiteable for a cronjob.

So, stay tuned...  :Razz: 

----------

## zeky

very nice script...

----------

## zeek

 *JoeW71 wrote:*   

> 
> 
> ```
> 
> "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 369 "-" "$
> ...

 

Looks like a CodeRed derivative -- a worm, not hackers.

----------

## Oid

To bad you can't bounce a message back to them saying "Your pc has more viruses and worms then my last date" or some equally disgusting line.  You know... to hel them fix it  :Twisted Evil: 

----------

## dreamer

 *Oid wrote:*   

> To bad you can't bounce a message back to them saying "Your pc has more viruses and worms then my last date" or some equally disgusting line.  You know... to hel them fix it 

 

Well, there is a possibility..

They're trying to Get a file ( cmd.exe, root.exe or whatever ). Why not create a 50 MB file and call it cmd.exe ? If everybody did that, those sweeps would be over very soon   :Twisted Evil: 

otoh, your own upload would we wasted, so this isn't a very good option  :Smile: 

----------

## rewt

 *dreamer wrote:*   

>  *Oid wrote:*   To bad you can't bounce a message back to them saying "Your pc has more viruses and worms then my last date" or some equally disgusting line.  You know... to hel them fix it  
> 
> Well, there is a possibility..
> 
> They're trying to Get a file ( cmd.exe, root.exe or whatever ). Why not create a 50 MB file and call it cmd.exe ? If everybody did that, those sweeps would be over very soon  
> ...

 

However, if you combined it with bandwidth throttling so that they were able to get the 50Mb at a VERY slow rate, say 500bytes per second, that would have minimal impact on you while slowing them to a crawl (maybe make sure to only reply one of their get requests aswell so they can't max your bandwidth out that way  :Wink:  )

----------

## Oid

Hmmm not a bad idea....

----------

## meyerm

Now it's getting funny  :Smile: 

How can I enable bandwith throttling for this?

----------

## Dr_Stein

 *Oid wrote:*   

> To bad you can't bounce a message back to them saying "Your pc has more viruses and worms then my last date" or some equally disgusting line.  You know... to hel them fix it 

 

Dude, that was so far beyond the limits of good taste. Heh. Right on.  :Wink: 

----------

## dreamer

As promised..

I just finished it, so maybe it's full of bugs, file-erasing tricks and so on...  :Razz: 

Every time you run this script it'll compare the new results with the old ( .blocklist ). If it finds new infected ip's it'll add them to the firewall and send a email to the specified user.

To use the mailfunction you need /usr/sbin/sendmail, which goes with postfix ( i think ).  If you don't have this, just leave the email variable empty.

Hope you enjoy it  :Very Happy: 

```
#!/bin/bash

#written by dreamer     02-03-2004

#quick'n dirty script to filter infected ipadresses from apache logs and

#block them with help of iptables.

#If manager is a valid emailadres ( or local user ) an email is send to

#this user every time a new ipadress is added to the firewall.

#This makes it ideal for a daily cronjob or so...

#enjoy! :-)

#

 

#global settings

#where email is send.. ( leave empty if you don't want any mail )

manager=

#temp dir

temp_dir=/var/tmp

#iptables Chain to append the rule to

chain=INPUT

#action to take after a rule matches

action=DROP

 

#some pre-running stuff

if [ ! -f .blocklist ]

then

        touch .blocklist

fi

 

#compile a list of infected ip's

#this wil get most of the shit, i'm not sure if it wil catch ALL....

grep error /var/log/apache2/error_log | cut -d' ' -f8 | cut -d] -f1 >> $temp_dir/blocklist_chaos.tmp

grep script /var/log/apache2/access_log | cut -d' ' -f1 >>  $temp_dir/blocklist_chaos.tmp

grep exe /var/log/apache2/access_log | cut -d' ' -f1 >>  $temp_dir/blocklist_chaos.tmp

grep dll /var/log/apache2/access_log | cut -d' ' -f1 >>  $temp_dir/blocklist_chaos.tmp

grep exe  /var/log/apache2/ssl_access_log | cut -d' ' -f1 >>  $temp_dir/blocklist_chaos.tmp

  

#sort these ip's and remove duplicates, afterwards remove blocklist_chaos.tmp

cat  $temp_dir/blocklist_chaos.tmp | sort | uniq >  $temp_dir/blocklist.tmp

rm  $temp_dir/blocklist_chaos.tmp

 

#see if there are any new ip's since last run

new_ip=( $(diff .blocklist $temp_dir/blocklist.tmp | grep '>' | cut -d' ' -f2) )

 

#remove LAN ip's (192.168.0.0/24 ) from the blocklist.

#Comment if you don't trust your own LAN ;-)

new_ip=( $(echo ${new_ip[@]##192.168.0.*}) )

 

#if there is at least one new infected ip....

if (( $((${#new_ip[@]})) > 0 ))

then

        #make tempfile the new permanent blocklist

        mv  $temp_dir/blocklist.tmp .blocklist

  

        # add new ip's with iptables

        for element in $(seq 0  $((${#new_ip[@]} - 1)))

        do

                /sbin/iptables -A $chain -s "${new_ip[$element]}" -j $action

 

                #for proper display in mail

                new_ip[$element]=$(echo ${new_ip[$element]}"\n")

        done

 

        #mail new ip's to manager

        if [[ $manager != "" ]]

        then

                echo -e "At" $(date +%A' '%d' '%b' '%T) "those infected ip's where added to the firewall:\n "${new_ip[@]}        \

                | /usr/sbin/sendmail -F CHAIN_BLOK $manager

        fi

else

        rm  $temp_dir/blocklist.tmp

fi

```

----------

## dvc5

 *dreamer wrote:*   

>  *lozdvc5 wrote:*   Nice script, I'm gonna try that... 
> 
> it's still very basic. Actually i want to rewrite it to ADD ip's ( instead of flushing the chain and adding everything again ).
> 
> It should be something like this.
> ...

 

Maybe instead of simply "grep error /var/log/apache2/error_log..." when you're creating the array, how about doing the following for example:

```
logtail /var/log/apache2/error_log | grep error | cut -d' ' -f8 | cut -d] -f1 >> temp
```

I'm just not sure how using logtail here might affect other cronjobs like logcheck.sh that use logtail to incrementally check the same logs.

----------

## dvc5

Haha sorry, you beat me to the punch...  :Very Happy: 

----------

## dvc5

Works beautifully.

One question, how do I setup the "favicon.ico" so people using browsers like mozilla don't get blacklisted when the apache log gives them an entry in the error_log?

EDIT: Found out the favicon.ico issue, however I had to comment out the "grep error /var/log/apache2/error_log..." line in the script since it was too restrictive and blocking some old IP's that I don't want blocked. I think the other filtering rules find most of the stuff windows-related at least.  :Wink: 

----------

## zeek

 *Oid wrote:*   

> To bad you can't bounce a message back to them saying "Your pc has more viruses and worms then my last date" or some equally disgusting line.  You know... to hel them fix it 

 

Um, the worm doesn't grok the file.

IOW, there is no user (human) on the other side of the connection to read your message.

----------

## rewt

 *meyerm wrote:*   

> Now it's getting funny 
> 
> How can I enable bandwith throttling for this?

 

Check out mod_bandwidth (Apache) and also mod_throttle

----------

## dreamer

added a small enhancement to the script. The mail now contains the "crime" the ip committed. Grab it here

----------

