On 10/28/01 08:27 PM, John Michael sat at the `puter and typed: > I'm new to the list and have very little experience writing modules but have > one concern because I have written quite a few perl scripts that send email > alerts and I also ran a perl script that picked up 404 error through the doc > error directive and know what kind of output is possible. > Here it is. > My server is constantly getting scanned by various hacking robots. I will > get hundreds of these a day or more sometimes. > > [Sun Oct 28 18:51:00 2001] [error] [client 64.81.175.236] File does not > exist: /home/usr1/digital/html/scripts/root.exe > [Sun Oct 28 18:51:01 2001] [error] [client 64.81.175.236] File does not > exist: /home/usr1/digital/html/MSADC/root.exe > [Sun Oct 28 19:28:29 2001] [error] [client 64.81.41.2] File does not exist: > /home/usr1/digital/html/scripts/root.exe
Yeah. Looks like a new stage of Nimda. These are the original 16 urls that were requested by Nimda: /scripts/root.exe?/c+dir /MSADC/root.exe?/c+dir /c/winnt/system32/cmd.exe?/c+dir /d/winnt/system32/cmd.exe?/c+dir /scripts/..%255c../winnt/system32/cmd.exe?/c+dir /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir /scripts/..%252f../winnt/system32/cmd.exe?/c+dir I suppose it is possible that you are just seeing a sort of translation of these in your logs, but I have been seeing one more lately (sneaking by the handler directive somehow because of a special char): /scripts/..À/../winnt/system32/cmd.exe The accented A seems to sneak by the Apache LocationMatch regexp I have, which should catch ALL */cmd.exe, */root.exe, etc. Anyway, I also get hundreds of these, but Apache::Nimda keeps them outta my hair pretty well. There's a few pointers as to how to just throw these out at http://www.keyslapper.org/Nimda/index.shtml > I'm not even on an nt machine and they are scanning for windows files. I > think these have something to do with a virus going around right now. You > can't block the ips, because they are constantly changing. Your server > would stressed to check the long list of blocked ips after a while. Yup. Nimda doesn't seem to be intelligent enough to recognize a non exploitable system and avoid it. Seems it woulda done a lot more damage if that were the case. None of us *nix nutz woulda been reporting the infected systems, so it woulda been left to the Windoze admins to do something. I don't have to tell you how that woulda gone. > The problem is that your script will be possible sending out hundreds of > emails or more a day of useless information.. You would need some kind of > intellegent way to determine if it was a legitimate request for a seemingly > legitimate document. Is that possible? Yes, but if you install a handler to deal with Nimda, these are reduced phenomenally. I guestimate anywhere from 60 to 6000 individual requests per day coming from Nimda infected systems, but I can't be any more accurate than that because I just don't see them. With the Nimda handler in place, those hits *don't* cause a 404. Well, most don't. So far, the one with the accented A does, and the one with the %c0%2f does too, but I filter those explicitly thru procmail, so problem solved with another tool. The only reason these slide thru is that for some reason the Apache regexp implementation gets fuddled by the %2f and the accented A. Maybe in 1.3.21 it will be fixed. Not that big a deal though. > Hope this doesn't discourage you. Naahhh. Just one more problem to solve :) I love perl! I'm starting to see why it is referred to as the Swiss Army chainsaw of computing! Cheers Lou -- Louis LeBlanc [EMAIL PROTECTED] Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org Ô¿Ô¬ Is knowledge knowable? If not, how do we know that?
