RE: [eug-lug]webserver logs...
I really doubt this is a intentional attack. This looks look what the Windows virus Nimda does when looking for targets. I used to have a cron job on a webserver at work that would collect the IPs and send them to our Windows IT group to fix. Garl -Original Message- From: Linux Rocks ! [mailto:[EMAIL PROTECTED] Sent: Thursday, November 20, 2003 8:23 PM To: [EMAIL PROTECTED] Subject: [eug-lug]webserver logs... so... ive noticed this before in my webserver logs... 68.50.124.251 - - [20/Nov/2003:23:07:12 -0500] GET /scripts/..%%35c../winnt/ system32/cmd.exe?/c+dir HTTP/1.0 400 292 so... looks like someone it scanning for a winnt based server they can exploit to me.. anyway, obviously its not an acutal problem, but I figured maybe some of you have had simular issues, and come up with creative solutions... like with ip tables or something :) Jamie -- It's a bird.. It's a plane.. No, it's KernelMan, faster than a speeding bullet, to your rescue. Doing new kernel versions in under 5 seconds flat.. -- Linus, in the announcement for 1.3.27 ___ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug ___ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug
Re: [eug-lug]webserver logs... (right on)
As far as I know, they are not trying to download your cmd.exe, but rather trying to exploit an unpatched IIS to *run* cmd.exe and give them a shell; I don't know what they'd do if you actually returned some file.exe but it is an interesting idea. It is likely not the response they are hoping for, though, so I think it would not qualify as a tarpit/honeypot/etc, which I find more interesting. For instance, you could stage up some vanilla win2k system -- maybe if you had what looked like installers for expensive programs laying around on it (but were actually one terabyte of 1's, self-extracting) then your plan could work. I would want any trojan .exe to collect some info about where it is running, and maybe try to send out the info to a centralized source. Fun ideas, however. As far as your logs filling up with junk, I think that is pretty darn important to log, and you might want to consider either turning off httpd, or else adding some firewall rules to deny most connections if this is a problem for you = ) For instance, I run snort in addition, so for every one of these IIS exploit-attempts, I see the apache log as well as the snort alert log. Handy, IMHO. Regards, Ben On Fri, 21 Nov 2003 00:34:48 -0500 Linux Rocks ! [EMAIL PROTECTED] wrote: | | you can run host or dig on the IP if you're | ohh.. Im pretty sure they are users from the same ISP. | . | | hmmm... interesting.. I like this idea... might be fun :) it got me | thinking of what to send them... I was thinking a file full of 1's in | a self extracting exe would be fun. If their program executes this | file to test it, what might happen if it extracts a file of ohh say a | few terrabytes of 1's ? how small will a compressed file of 1's be ? | | I suppose i could be really malicious and send them a trojan... | | or possibly theres something even more horrific that others might | suggest? | ___ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug
Re: [eug-lug]webserver logs...
On Thu, Nov 20, 2003 at 11:23:27PM -0500, Linux Rocks! wrote: so... ive noticed this before in my webserver logs... 68.50.124.251 - - [20/Nov/2003:23:07:12 -0500] GET /scripts/..%%35c../winnt/ system32/cmd.exe?/c+dir HTTP/1.0 400 292 Someone just has a script/program that's scanning for IIS 5.0 exploits. There are a number of exploits that allow you to execute arbitrary commands using cmd.exe. Roughly, from your log entry, they're trying to run cmd.exe with the /c switch, which means run cmd.exe and execute the command(s) contained in the string following the /c switch. In this case, your Apache logs either truncated the rest, or they were just seeing if they got something or a 403 (which would likely indicate a patched machine). /jgw ___ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug
Re: [eug-lug]webserver logs...
On Friday 21 November 2003 01:03 pm, Cory Petkovsek wrote: : On Thu, Nov 20, 2003 at 11:23:27PM -0500, Linux Rocks! wrote: : so... ive noticed this before in my webserver logs... : 68.50.124.251 - - [20/Nov/2003:23:07:12 -0500] GET : /scripts/..%%35c../winnt/ system32/cmd.exe?/c+dir HTTP/1.0 400 292 : : Lots of viruii around the internet try and exploit IIS, let along those : with malicious intent. What to do about it? Ignore it, unless the : bandwidth becomes a problem. yeah... I wasn't sure if it was a viri, or port scanner (or simular type software). I dont really plan on bothering with doing something about it, but thought it was fun to think about possible ways to do something about it... Jamie : : Cory -- Eh, that's it, I guess. No 300 million dollar unveiling event for this kernel, I'm afraid, but you're still supposed to think of this as the happening of the century (at least until the next kernel comes along). -- Linus, in the announcement for 1.3.27 ___ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug
Re: [eug-lug]webserver logs...
yeah... I wasn't sure if it was a viri, or port scanner (or simular type software). I dont really plan on bothering with doing something about it, but thought it was fun to think about possible ways to do something about it... If you want to ignore them, just set up some custom logging directives in Apache, you can find info here: http://mail-archives.engardelinux.org/engarde-users/2002/Jan/0219.html /jgw ___ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug
[eug-lug]webserver logs...
so... ive noticed this before in my webserver logs... 68.50.124.251 - - [20/Nov/2003:23:07:12 -0500] GET /scripts/..%%35c../winnt/ system32/cmd.exe?/c+dir HTTP/1.0 400 292 so... looks like someone it scanning for a winnt based server they can exploit to me.. anyway, obviously its not an acutal problem, but I figured maybe some of you have had simular issues, and come up with creative solutions... like with ip tables or something :) Jamie -- It's a bird.. It's a plane.. No, it's KernelMan, faster than a speeding bullet, to your rescue. Doing new kernel versions in under 5 seconds flat.. -- Linus, in the announcement for 1.3.27 ___ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug
Re: [eug-lug]webserver logs... (right on)
Anyone with an open port 80 on a static IP is likely to see loads of this crap. Yep, they're looking for an exploitable 'doze box. I usually just ignore it... you can run host or dig on the IP if you're curious as to the origination; you could even feed the GET into your webserver to see exactly what error they got; but I have yet to see any cool creative soluions for this. It strikes me as a waste of resources to firewall the IP, since it is a silly request, but I think it would be interesting to hack up a tarpit for them -- like giving them something that looks like a command shell, to entice them -- in that case, one would also want to modify the system signature that they might get from nmap, etc... anyone else got some good notions on this? Of note is that you might see multiple requests from the same IP, or from another in the same block. This tells you something about the nature of the attacker, but not a whole lot. Most I've seen come from overseas or dialups... g'nitey! Ben On Thu, 20 Nov 2003 23:23:27 -0500 Linux Rocks ! [EMAIL PROTECTED] wrote: | so... ive noticed this before in my webserver logs... | 68.50.124.251 - - [20/Nov/2003:23:07:12 -0500] GET | /scripts/..%%35c../winnt/ system32/cmd.exe?/c+dir HTTP/1.0 400 292 | | so... looks like someone it scanning for a winnt based server they can | exploit to me.. anyway, obviously its not an acutal problem, but I | figured maybe some of you have had simular issues, and come up with | creative solutions... like with ip tables or something :) | | Jamie ___ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug
Re: [eug-lug]webserver logs... (right on)
On Thursday 20 November 2003 11:30 pm, Ben Barrett wrote: : Anyone with an open port 80 on a static IP is likely to see loads of : this crap. Yep, they're looking for an exploitable 'doze box. : I usually just ignore it... Ive noticed them before and usually ignore it... the only real nuisance is that they fill up log files with useless crap... you can run host or dig on the IP if you're ohh.. Im pretty sure they are users from the same ISP. : curious as to the origination; you could even feed the GET into your : webserver to see exactly what error they got; but I have yet to see any : cool creative soluions for this. It strikes me as a waste of resources : to firewall the IP, since it is a silly request, but I think it would be : interesting to hack up a tarpit for them -- like giving them something : that looks like a command shell, to entice them -- in that case, one : would also want to modify the system signature that they might get from : nmap, etc... anyone else got some good notions on this? hmmm... interesting.. I like this idea... might be fun :) it got me thinking of what to send them... I was thinking a file full of 1's in a self extracting exe would be fun. If their program executes this file to test it, what might happen if it extracts a file of ohh say a few terrabytes of 1's ? how small will a compressed file of 1's be ? I suppose i could be really malicious and send them a trojan... or possibly theres something even more horrific that others might suggest? : Of note is that you might see multiple requests from the same IP, or : from another in the same block. This tells you something about the : nature of the attacker, but not a whole lot. Most I've seen come from : overseas or dialups... g'nitey! : :Ben : : : On Thu, 20 Nov 2003 23:23:27 -0500 : : Linux Rocks ! [EMAIL PROTECTED] wrote: : | so... ive noticed this before in my webserver logs... : | 68.50.124.251 - - [20/Nov/2003:23:07:12 -0500] GET : | /scripts/..%%35c../winnt/ system32/cmd.exe?/c+dir HTTP/1.0 400 292 : | : | so... looks like someone it scanning for a winnt based server they can : | exploit to me.. anyway, obviously its not an acutal problem, but I : | figured maybe some of you have had simular issues, and come up with : | creative solutions... like with ip tables or something :) : | : | Jamie : : ___ : EuG-LUG mailing list : [EMAIL PROTECTED] : http://mailman.efn.org/cgi-bin/listinfo/eug-lug -- DOS: n., A small annoying boot virus that causes random spontaneous system crashes, usually just before saving a massive project. Easily cured by UNIX. See also MS-DOS, IBM-DOS, DR-DOS. -- David Vicker's .plan ___ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug