IIS virus attacks

[cloverm]

My apache log is full of entries like this:

Code:

evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:13 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 270 "-" "-"
evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:13 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 268 "-" "-"
evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:14 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 278 "-" "-"
evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:14 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 278 "-" "-"
evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:14 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292 "-" "-"
evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:15 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 "-" "-"
evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:15 -0500]
"GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 "-" "-"
evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:15 -0500]
"GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 325 "-" "-"
evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:15 -0500]
"GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 "-" "-"
evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:16 -0500]
"GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 "-" "-"
evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:16 -0500]
"GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 "-" "-"
evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:16 -0500]
"GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 "-" "-"
evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:17 -0500]
"GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 275 "-" "-"
evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:17 -0500]
"GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 275 "-" "-"
evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:17 -0500]
"GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292 "-" "-"
evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:18 -0500]
"GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292 "-" "-"

I take it it is one of those : IIS : viruses. I was wondering if there was a way of fighting it back. Can I automatically block out IP addresses that send out this crap?

[Feztaa]

If you are using a kernel newer than 2.4.9, you can use the "string" module in your iptables rules that blocks packets with strings like that.

The only downside is that the worm will still establish a connection to your apache, it just won't be able to do anything after that. The connection will be forced to time out, which is kind of bad.

[Compunuts]

It's easier to just run a script with the cron and take out the log entires...... I've had plently of those ..... : :

[Killer_Penguin]

My apache log is full of entries like this:

Code:

evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:13 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 270 "-" "-"
evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:13 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 268 "-" "-"
evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:14 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 278 "-" "-"
evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:14 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 278 "-" "-"
evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:14 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292 "-" "-"
evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:15 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 "-" "-"
evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:15 -0500]
"GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 "-" "-"
evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:15 -0500]
"GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 325 "-" "-"
evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:15 -0500]
"GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 "-" "-"
evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:16 -0500]
"GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 "-" "-"
evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:16 -0500]
"GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 "-" "-"
evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:16 -0500]
"GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 "-" "-"
evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:17 -0500]
"GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 275 "-" "-"
evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:17 -0500]
"GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 275 "-" "-"
evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:17 -0500]
"GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292 "-" "-"
evrtwa1-ar9-4-34-134-119.evrtwa1.vz.dsl.gtei.net - - [01/Mar/2002:10:04:18 -0500]
"GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292 "-" "-"

I take it it is one of those : IIS : viruses. I was wondering if there was a way of fighting it back. Can I automatically block out IP addresses that send out this crap?

Evertwa1 eh? thats everett Washington... I've been hit by a few script kiddies from that node...

[Compunuts]

This is the reason why bigger pipe can actually be dangerous .... Those clueless people bring down many legitimate uses of high speed net .....

[Jeepsta]

Hey Cloverm,

I just ran through my logs here and i am getting those exact same entries..... They seem to be pretty consistant and coming from a variety of sources. > >

[ph34r]

I *still* get the original Code Red stuff in my logs...

Anyway, we know these machines are infected 'cause they are sending it out right? So just how does that exploit work anyway?

[cloverm]

I *still* get the original Code Red stuff in my logs...

Anyway, we know these machines are infected 'cause they are sending it out right? So just how does that exploit work anyway?

Well it starts with a stupid, careless guy who uses M$ software and calls himself "Administrator".

[Feztaa]

Well it starts with a stupid, careless guy who uses M$ software and calls himself "Administrator".

And with any luck at all, it ends with a stupid, careless guy who lives on the street because nobody will hire him.

[civ1492]

And with any luck at all, it ends with a stupid, careless guy who lives on the street because nobody will hire him.

maybe in a better future .. :-/