I just started running a webserver which so far is pretty empty and its only been up for 9 days but I keep getting this in my apache logs.
I never stayed up to date with all those IIS exploits but is that whats happening here? I've seen this script many times in my logs. Theres about 3 log files of 1/2 meg after only 9 days with me only lightly using it. Is this a lot?Code:24.165.7.125 - - [16/Jan/2002:22:12:13 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 296 "-" "-" 24.165.7.125 - - [16/Jan/2002:22:12:13 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 296 "-" "-" 24.165.7.125 - - [16/Jan/2002:22:12:13 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 296 "-" "-" 24.165.7.125 - - [16/Jan/2002:22:12:14 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 296 "-" "-" 24.165.7.125 - - [16/Jan/2002:22:12:14 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 280 "-" "-" 24.165.7.125 - - [16/Jan/2002:22:12:14 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 280 "-" "-" 24.165.7.125 - - [16/Jan/2002:22:12:14 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297 "-" "-" 24.165.7.125 - - [16/Jan/2002:22:12:15 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297 "-" "-"
Yes. These are entries from either the "W32/Nimda worm" or the "Concept Virus (CV) v.5." trying to access your system. In regards to it affecting your system, with it being an .exe and youre running LinuxI dont think you have much to worry about.
This is only an opinion.
For more info
http://www.cert.org/advisories/CA-2001-26.html
update: its Nimda
i had no idea how much of this was going around. Especially for me running a webserver barely ever used on crappy cable connection. Theres also other variations like that with root.exe and some other ones.
im looking into it right now. But you should ok. If you are still worried, then the best thing to do is to install and implement iptables and ipchains (others please correct me if Im wrong).
http://www.trusecure.com/html/tspub/...4_cid177.shtml
Nimda has only one effect on linux/unix/apache systems. It fills your logs up, that's it. IPchains/tables isnt' going to help you at all with securing apache up, all apache communication goes through port 80, and you have to leave that open.
Dear God man!! SLAP YOURSELF RIGHT NOW!!!If you are still worried, then the best thing to do is to install and implement iptables and ipchains (others please correct me if Im wrong).
Then go install iptables immediately. Installing (and properly configuring) a firewall is never a bad idea, no matter what you are using your computer for.
KP: Nope, you're wrong. As of kernel 2.4.9, iptables has the 'string' module, which will actually let you block all packets containing a certain string of text. You could easily use that to prevent Nimda attacks just by looking at what files Nimda tries to access, then preventing packets with those strings from getting in the firewall.
Of course, Nimda will still make the connection to Apache, but after that everything is blocked and Nimda is forced to timeout because it doesn't get any response.
i thought so, but didnt want to give the guy bad information
i was never worried about it I just wondered if that was code red or one of these IIS worms. I'm also not stupid enough to keep all my ports open.
Posting Permissions
Reply With Quote
Bookmarks