Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: apache logs

  1. #1

    apache logs

    I just started running a webserver which so far is pretty empty and its only been up for 9 days but I keep getting this in my apache logs.

    Code:
    24.165.7.125 - - [16/Jan/2002:22:12:13 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 296 "-" "-"
    24.165.7.125 - - [16/Jan/2002:22:12:13 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 296 "-" "-"
    24.165.7.125 - - [16/Jan/2002:22:12:13 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 296 "-" "-"
    24.165.7.125 - - [16/Jan/2002:22:12:14 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 296 "-" "-"
    24.165.7.125 - - [16/Jan/2002:22:12:14 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 280 "-" "-"
    24.165.7.125 - - [16/Jan/2002:22:12:14 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 280 "-" "-"
    24.165.7.125 - - [16/Jan/2002:22:12:14 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297 "-" "-"
    24.165.7.125 - - [16/Jan/2002:22:12:15 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297 "-" "-"
    I never stayed up to date with all those IIS exploits but is that whats happening here? I've seen this script many times in my logs. Theres about 3 log files of 1/2 meg after only 9 days with me only lightly using it. Is this a lot?

  2. #2
    Mentor coltrane's Avatar
    Join Date
    May 2001
    Location
    North Carolina
    Posts
    1,390

    Re: apache logs

    Yes. These are entries from either the "W32/Nimda worm" or the "Concept Virus (CV) v.5." trying to access your system. In regards to it affecting your system, with it being an .exe and youre running LinuxI dont think you have much to worry about.

    This is only an opinion.

    For more info
    http://www.cert.org/advisories/CA-2001-26.html

  3. #3
    Mentor coltrane's Avatar
    Join Date
    May 2001
    Location
    North Carolina
    Posts
    1,390

    Re: apache logs

    update: its Nimda

  4. #4

    Re: apache logs

    i had no idea how much of this was going around. Especially for me running a webserver barely ever used on crappy cable connection. Theres also other variations like that with root.exe and some other ones.

  5. #5
    Mentor coltrane's Avatar
    Join Date
    May 2001
    Location
    North Carolina
    Posts
    1,390

    Re: apache logs

    im looking into it right now. But you should ok. If you are still worried, then the best thing to do is to install and implement iptables and ipchains (others please correct me if Im wrong).

    http://www.trusecure.com/html/tspub/...4_cid177.shtml

  6. #6

    Re: apache logs

    Nimda has only one effect on linux/unix/apache systems. It fills your logs up, that's it. IPchains/tables isnt' going to help you at all with securing apache up, all apache communication goes through port 80, and you have to leave that open.

  7. #7

    Re: apache logs

    If you are still worried, then the best thing to do is to install and implement iptables and ipchains (others please correct me if Im wrong).
    Dear God man!! SLAP YOURSELF RIGHT NOW!!!

    Then go install iptables immediately. Installing (and properly configuring) a firewall is never a bad idea, no matter what you are using your computer for.

    KP: Nope, you're wrong. As of kernel 2.4.9, iptables has the 'string' module, which will actually let you block all packets containing a certain string of text. You could easily use that to prevent Nimda attacks just by looking at what files Nimda tries to access, then preventing packets with those strings from getting in the firewall.

    Of course, Nimda will still make the connection to Apache, but after that everything is blocked and Nimda is forced to timeout because it doesn't get any response.

  8. #8
    Mentor coltrane's Avatar
    Join Date
    May 2001
    Location
    North Carolina
    Posts
    1,390

    Re: apache logs

    i thought so, but didnt want to give the guy bad information

  9. #9

    Re: apache logs

    i was never worried about it I just wondered if that was code red or one of these IIS worms. I'm also not stupid enough to keep all my ports open.

  10. #10

    Re: apache logs

    Why do people even bother running IIS? What a POS.

Similar Threads

  1. Question on SSH and logs
    By gjansky in forum Linux - Software, Applications & Programming
    Replies: 3
    Last Post: 03-26-2004, 06:43 PM
  2. Help With Apache Logs
    By Epsilon in forum Linux - General Topics
    Replies: 1
    Last Post: 05-18-2003, 02:04 PM
  3. Do these logs tell my HDD is in trouble?
    By Pleiades in forum Linux - General Topics
    Replies: 4
    Last Post: 09-22-2002, 02:42 AM
  4. Red Hat Logs
    By Rukasboy in forum Linux - Software, Applications & Programming
    Replies: 2
    Last Post: 07-08-2002, 10:10 PM
  5. Apache Logs...
    By groundzero in forum Linux - Hardware, Networking & Security
    Replies: 1
    Last Post: 04-22-2002, 04:47 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •