On 10/28/01 08:27 PM, John Michael sat at the `puter and typed:
> I'm new to the list and have very little experience writing modules but have
> one concern because I have written quite a few perl scripts that send email
> alerts and I also ran a perl script that picked up 404 error through the doc
> error directive and know what kind of output is possible.
> Here it is.
> My server is constantly getting scanned by various hacking robots.  I will
> get hundreds of these a day or more sometimes.
> 
> [Sun Oct 28 18:51:00 2001] [error] [client 64.81.175.236] File does not
> exist: /home/usr1/digital/html/scripts/root.exe
> [Sun Oct 28 18:51:01 2001] [error] [client 64.81.175.236] File does not
> exist: /home/usr1/digital/html/MSADC/root.exe
> [Sun Oct 28 19:28:29 2001] [error] [client 64.81.41.2] File does not exist:
> /home/usr1/digital/html/scripts/root.exe

Yeah.  Looks like a new stage of Nimda.  These are the original 16
urls that were requested by Nimda:
/scripts/root.exe?/c+dir
/MSADC/root.exe?/c+dir
/c/winnt/system32/cmd.exe?/c+dir
/d/winnt/system32/cmd.exe?/c+dir
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir

I suppose it is possible that you are just seeing a sort of
translation of these in your logs, but I have been seeing one more
lately (sneaking by the handler directive somehow because of a special
char):
/scripts/..À/../winnt/system32/cmd.exe

The accented A seems to sneak by the Apache LocationMatch regexp I
have, which should catch ALL */cmd.exe, */root.exe, etc.

Anyway, I also get hundreds of these, but Apache::Nimda keeps them
outta my hair pretty well.  There's a few pointers as to how to just
throw these out at http://www.keyslapper.org/Nimda/index.shtml

> I'm not even on an nt machine and they are scanning for windows files.  I
> think these have something to do with a virus going around right now.  You
> can't block the ips, because they are constantly changing.  Your server
> would stressed to check the long list of blocked ips after a while.

Yup.  Nimda doesn't seem to be intelligent enough to recognize a non
exploitable system and avoid it.  Seems it woulda done a lot more
damage if that were the case.  None of us *nix nutz woulda been
reporting the infected systems, so it woulda been left to the Windoze
admins to do something.  I don't have to tell you how that woulda
gone.
 
> The problem is that your script will be possible  sending out hundreds of
> emails or more a day of useless information..  You would need some kind of
> intellegent way to determine if it was a legitimate request for a seemingly
> legitimate document.  Is that possible?

Yes, but if you install a handler to deal with Nimda, these are
reduced phenomenally.  I guestimate anywhere from 60 to 6000
individual requests per day coming from Nimda infected systems, but I
can't be any more accurate than that because I just don't see them.

With the Nimda handler in place, those hits *don't* cause a 404.
Well, most don't.  So far, the one with the accented A does, and the
one with the %c0%2f does too, but I filter those explicitly thru
procmail, so problem solved with another tool.

The only reason these slide thru is that for some reason the Apache
regexp implementation gets fuddled by the %2f and the accented A.
Maybe in 1.3.21 it will be fixed.  Not that big a deal though.

> Hope this doesn't discourage you.

Naahhh.  Just one more problem to solve :)

I love perl!

I'm starting to see why it is referred to as the Swiss Army chainsaw
of computing!

Cheers
Lou
-- 
Louis LeBlanc               [EMAIL PROTECTED]
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://www.keyslapper.org                     Ô¿Ô¬

Is knowledge knowable?  If not, how do we know that?

Reply via email to