/var/log/httpd/access_log

eddie · #1 (**permalink**) 10-01-2001

Yesterday I happened to check /var/log/httpd/access_log and found some funny things like these,

209.127.62.159 - - [30/Sep/2001:21:23:09 -0400] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 210
209.127.62.159 - - [30/Sep/2001:21:23:10 -0400] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 208
209.127.62.159 - - [30/Sep/2001:21:23:11 -0400] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218
209.127.62.159 - - [30/Sep/2001:21:23:11 -0400] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218
209.127.62.159 - - [30/Sep/2001:21:23:12 -0400] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
209.127.62.159 - - [30/Sep/2001:21:23:13 -0400] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249
209.127.62.159 - - [30/Sep/2001:21:23:13 -0400] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249
209.127.62.159 - - [30/Sep/2001:21:23:14 -0400] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 265

Obviously, the access treated my machine like NT/IIS. As we can see from the log, it was trying harder and harder. If I had not shut down port 80, it would have created hundreds of lines in the log file. I also checked the log of the past 3 months, there are about 200 tries of this kind from various ranges of IP address.

I think this is apparently virus attack. Has anybody here ever found such log? I just dial-up to the Internet and the connection lasted for about 30 minutes and I got this attack. I would keep my httpd closed. Thank god, my system is Linux, not NT.

Neo · #2 (**permalink**) 10-01-2001

This is like the nimda virus, or its variant. The world has been getting hammered by it for some time. However, since we are !NT , no problem, just an annoyance.

This link might be interesting to read:

http://www.net-security.org/text/pre...9,63447,.shtml

This is also a good link:

http://www.sophos.com/virusinfo/analyses/w32nimdaa.html

loadc · #3 (**permalink**) 10-01-2001

If you've got some spare processor lying around and the bandwidth to go with it, there are some scripts out there that will scan your logs, take the ips of the infected scanners, and resolve them, and tehn send off a mail to their ISP or whoever, and inform them of the machine's condition.....

loadc

LivinFree · #4 (**permalink**) 10-02-2001

Yeah, those logs could be not only Nimda, but a "code Red" variant, or somebody scanning like heck trying to break into a server that code red already rooted. If they're from similar ( or the same ) IP address, it's most likely somebody in your subnet affected - I think Nimda only scans the 16 address above and below theirs (I may be confusing this with another worm, though).

More UNIX and Linux Forum Topics You Might Find Helpful
Thread	Thread Starter	Forum	Replies	Last Post
Error when compile httpd 2.2.8 on AIX 5.2	aldowsary	AIX	7	02-13-2008 06:21 PM
S-118: Apache httpd Vulnerabilities	iBot	Security Advisories (RSS)	0	01-15-2008 08:10 PM
httpd error	kumarangopi	UNIX for Dummies Questions & Answers	2	11-20-2006 07:58 AM
mail access_log	dayglow	UNIX for Dummies Questions & Answers	3	11-27-2001 09:01 AM
defaults httpd.conf	macdonto	IP Networking	5	09-25-2001 05:21 PM

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes	Rate This Thread
Switch to Linear Mode Hybrid Mode Switch to Threaded Mode	Rate This Thread:


	Powered by