Strange HTTPD log listing

Strange HTTPD log listing

Post by Doug Holt » Sat, 02 Jun 2001 01:50:40



Good Day;

I have a strange log listing in my httpd/access_log file.  It's from an IP
address in New York.  On the surface it appears that someone has downloaded
all my scripts with a NT machine running cmd.exe.  Or it;'s a machine trying
to run a command.  Please advise opinions.

64.221.120.254 - - [31/May/2001:02:50:36 -0500] "get/scripts/..%c0%af
..%c0%af ..%c0%af ..%c0%af ..%c0%af ..%c0%af ..%c0%af ..%c0%af ..
/winnt/system32/cmd.exe?/c%20dir"

I'm running redhat 7.0 and apache web server for a family home page.

TNX
--
Doug Holtz

 
 
 

Strange HTTPD log listing

Post by nord » Sat, 02 Jun 2001 02:26:53



> I have a strange log listing in my httpd/access_log file.  It's from an IP
> address in New York.  On the surface it appears that someone has
> downloaded
> all my scripts with a NT machine running cmd.exe.  Or it;'s a machine
> trying
> to run a command.  Please advise opinions.

It's a machine trying to run a command.

Quote:> 64.221.120.254 - - [31/May/2001:02:50:36 -0500] "get/scripts/..%c0%af
> ..%c0%af ..%c0%af ..%c0%af ..%c0%af ..%c0%af ..%c0%af ..%c0%af ..
> /winnt/system32/cmd.exe?/c%20dir"
> I'm running redhat 7.0 and apache web server for a family home page.

That looks very much like someone tried to break into your system using an
exploit of the cmd.exe program. As the requested url shows, the attacker
expected a Windows NT system, so he did not get in. Lucky you!

nordi

--
Linux - Less bugs for less bucks!

Visit http://private.addcom.de/nordi

 
 
 

Strange HTTPD log listing

Post by Shaun Bogg » Sat, 02 Jun 2001 02:06:54


Doug,

They are trying to exploit a problem in IIS that allows a malformed request
sent to the web server which returns file access to the attacker.  If you
are running Linux with Apache, you should not worry.

Shaun Boggs
Network Engineer


Quote:> Good Day;

> I have a strange log listing in my httpd/access_log file.  It's from an IP
> address in New York.  On the surface it appears that someone has
downloaded
> all my scripts with a NT machine running cmd.exe.  Or it;'s a machine
trying
> to run a command.  Please advise opinions.

> 64.221.120.254 - - [31/May/2001:02:50:36 -0500] "get/scripts/..%c0%af
> ..%c0%af ..%c0%af ..%c0%af ..%c0%af ..%c0%af ..%c0%af ..%c0%af ..
> /winnt/system32/cmd.exe?/c%20dir"

> I'm running redhat 7.0 and apache web server for a family home page.

> TNX
> --
> Doug Holtz

 
 
 

Strange HTTPD log listing

Post by Ian Jone » Sat, 02 Jun 2001 04:05:20


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Quote:> > 64.221.120.254 - - [31/May/2001:02:50:36 -0500] "get/scripts/..%c0%af
> > ..%c0%af ..%c0%af ..%c0%af ..%c0%af ..%c0%af ..%c0%af ..%c0%af ..
> > /winnt/system32/cmd.exe?/c%20dir"
> > I'm running redhat 7.0 and apache web server for a family home page.

> That looks very much like someone tried to break into your system using
> an  exploit of the cmd.exe program. As the requested url shows, the
> attacker  expected a Windows NT system, so he did not get in. Lucky you!

I wouldn't worry about it...if the dolt can't even figure out that you are
not running IIS, she couldn't do much damage if she did manage to stumble
into your system using some other exploit.

BTW, the above was an attempt to perform a directory traversal:
http://www.whitehats.com/info/ids433

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
Comment: Making the world safe for geeks.

iQA/AwUBOxaV7cAVSpfzXItKEQI4VwCfUuUYfUTSWqTQomWTeapp03e5eh0An2sX
JpFfEeynqdzzD7fKghiItcfD
=fsPM
-----END PGP SIGNATURE-----

 
 
 

Strange HTTPD log listing

Post by Doug Holt » Sat, 02 Jun 2001 04:52:04


Thanks to all who replied.  I thought I was OK, but one can't be too sure.

D


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1


> > > 64.221.120.254 - - [31/May/2001:02:50:36 -0500] "get/scripts/..%c0%af
> > > ..%c0%af ..%c0%af ..%c0%af ..%c0%af ..%c0%af ..%c0%af ..%c0%af ..
> > > /winnt/system32/cmd.exe?/c%20dir"
> > > I'm running redhat 7.0 and apache web server for a family home page.

> > That looks very much like someone tried to break into your system using
> > an  exploit of the cmd.exe program. As the requested url shows, the
> > attacker  expected a Windows NT system, so he did not get in. Lucky you!

> I wouldn't worry about it...if the dolt can't even figure out that you are
> not running IIS, she couldn't do much damage if she did manage to stumble
> into your system using some other exploit.

> BTW, the above was an attempt to perform a directory traversal:
> http://www.whitehats.com/info/ids433

> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
> Comment: Making the world safe for geeks.

> iQA/AwUBOxaV7cAVSpfzXItKEQI4VwCfUuUYfUTSWqTQomWTeapp03e5eh0An2sX
> JpFfEeynqdzzD7fKghiItcfD
> =fsPM
> -----END PGP SIGNATURE-----

 
 
 

1. Logging %{cookie}n in httpd logs

I am wondering why the %{cookie}n doesn't show up in my logs as it is
supposed to:

  CookieTracking on
  CookieExpires 31536000
  LogFormat "%h %a %t %r %b \"%{user-agent}i\" \"%{referer}i\"
%{cookie}n" combined
  CustomLog "|/usr/local/sbin/rotatelogs /path/to/my/logs/my_access.log
86400" combined

Anyone got this to work?

Thanks,
Paul.

2. which exit status to use?

3. Strange log in /var/log/messages about sendmail.

4. Makefile and libtool

5. Installing httpd to /var/httpd or to /usr/local/etc/httpd

6. Q. X25 vendors

7. httpd 3.0 - strange address

8. I'd like to create a server to support 100 simutaneous Internet users

9. Strange inetd/httpd problem

10. Strange, strange, strange...

11. Httpd - Strange Problem

12. Strange ftp/telnet/httpd behavior. Help!

13. Strange HTTPD problem