Unix/Linux Go Back    

Security Discuss UNIX and Linux computer and network security, cyber security, cyber attacks, IT security, and more.



Thread Tools Search this Thread Display Modes
Old Unix and Linux 10-01-2001
eddie eddie is offline
Registered User
Join Date: Aug 2001
Last Activity: 25 December 2002, 9:33 PM EST
Location: Ontario, Canada
Posts: 20
Thanks: 0
Thanked 0 Times in 0 Posts
Computer /var/log/httpd/access_log

Yesterday I happened to check /var/log/httpd/access_log and found some funny things like these, - - [30/Sep/2001:21:23:09 -0400] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 210 - - [30/Sep/2001:21:23:10 -0400] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 208 - - [30/Sep/2001:21:23:11 -0400] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 - - [30/Sep/2001:21:23:11 -0400] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 - - [30/Sep/2001:21:23:12 -0400] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 - - [30/Sep/2001:21:23:13 -0400] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249 - - [30/Sep/2001:21:23:13 -0400] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249 - - [30/Sep/2001:21:23:14 -0400] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 265

Obviously, the access treated my machine like NT/IIS. As we can see from the log, it was trying harder and harder. If I had not shut down port 80, it would have created hundreds of lines in the log file. I also checked the log of the past 3 months, there are about 200 tries of this kind from various ranges of IP address.

I think this is apparently virus attack. Has anybody here ever found such log? I just dial-up to the Internet and the connection lasted for about 30 minutes and I got this attack. I would keep my httpd closed. Thank god, my system is Linux, not NT.Linux

Last edited by eddie; 10-01-2001 at 06:50 PM..
Sponsored Links
Old Unix and Linux 10-01-2001
Neo's Unix or Linux Image
Neo Neo is online now Forum Staff  
Join Date: Sep 2000
Last Activity: 17 October 2017, 5:40 AM EDT
Location: Asia pacific region
Posts: 13,711
Thanks: 887
Thanked 1,203 Times in 564 Posts
This is like the nimda virus, or its variant. The world has been getting hammered by it for some time. However, since we are !NT , no problem, just an annoyance.

This link might be interesting to read:


This is also a good link:

Sponsored Links
Old Unix and Linux 10-01-2001
loadc loadc is offline
Registered User
Join Date: Sep 2001
Last Activity: 16 December 2002, 4:51 PM EST
Posts: 40
Thanks: 0
Thanked 0 Times in 0 Posts
Nimda@home, the search for intelligence on the internet

If you've got some spare processor lying around and the bandwidth to go with it, there are some scripts out there that will scan your logs, take the ips of the infected scanners, and resolve them, and tehn send off a mail to their ISP or whoever, and inform them of the machine's condition.....

Old Unix and Linux 10-02-2001
LivinFree's Unix or Linux Image
LivinFree LivinFree is offline Forum Advisor  
Goober Extraordinaire
Join Date: Jul 2001
Last Activity: 16 June 2011, 4:50 PM EDT
Location: Portland, OR, USA
Posts: 1,626
Thanks: 2
Thanked 15 Times in 13 Posts
Yeah, those logs could be not only Nimda, but a "code Red" variant, or somebody scanning like heck trying to break into a server that code red already rooted. If they're from similar ( or the same ) IP address, it's most likely somebody in your subnet affected - I think Nimda only scans the 16 address above and below theirs (I may be confusing this with another worm, though).
Sponsored Links

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Linux More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
Finding IP info from access_log file bugenhagen_ Linux 4 12-07-2011 09:53 PM
Include CFTOKEN and CFID in apache access_log linuxgeek Web Programming 0 06-17-2010 05:39 AM
how to grep or egrep pattern of apache access_log file lamoul Solaris 2 05-06-2009 09:21 PM
Deleting access_log.processed in crontab chickenhouse UNIX for Dummies Questions & Answers 4 07-01-2008 10:19 PM
mail access_log dayglow UNIX for Dummies Questions & Answers 3 11-27-2001 08:01 AM

All times are GMT -4. The time now is 05:45 AM.