[Gllug] Apache Logs
will
will at hellacool.co.uk
Tue Jan 15 17:54:36 UTC 2002
t.clarke wrote:
> ---------------------------------------
> Message from:-
> Tim Clarke (tim at seacon.co.uk)
> Seacon Holdings plc Group, London, U.K.
> Telephone: +44 (0)1474 320000
> Fax: +44 (0)1474 329946
> ---------------------------------------
>
> Hi
>
> Firstly, sorry, the 'TCP' message was sent in error - this was an old
> throw-away message-file I sent in error !
>
> The real message:-
> ----------------
>
>
> I am hoping someone can throw some light on the following messages which
> are appearing horribly regularly in our Apache error_log, from various IP
> addresses (although the samples below are all within a few minutes and from
> the same IP address shown).
>
> I presume somebody is attempting to use some kind of 'backdoor; to get control
> of the machine upon which our apache server runs (Linux, of course !!).
> I also presume/hope that no damage is being done, other than filing up our
> log-files !
>
> Questions:
>
> 1) Is it realistic/possible to do a reverse look-up on the IP address and fire
> off a suitable email to the ISP/organisation that 'owns' it ??
>
> 2) Since most of the non-existent files seem to be within winnt and scripts
> sub-directories, can I get apache to do something like re-direct to
> a suitable 'buggar-off' web page after a 60-second 'wait?
>
> 3) If the requests can be pinned down to a limited range of IP addresses,
> would it be realistic to simply DENY them within the filter rules ?
>
>
> Any helpful comments appreciated.
>
> Regards
>
> Tim
>
> ----
>
>
>
>
>
> [Tue Jan 15 15:47:30 2002] [error] [client 195.24.198.7]
> File does not exist: /usr/local/apache/htdocs/
>
> usr/local/apache/htdocs/scripts/root.exe
> MSADC/root.exe
> c/winnt/system32/cmd.exe
> d/winnt/system32/cmd.exe
> scripts/..%5c../winnt/system32/cmd.exe
> _vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
> _mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
> msadc/..%5c../..%5c../..%5c/..../..../..../winnt/system32/cmd.exe
> scripts/..../winnt/system32/cmd.exe
> scripts/..../winnt/system32/cmd.exe
> scripts/..../winnt/system32/cmd.exe
> scripts/..%5c../winnt/system32/cmd.exe
> scripts/..%2f../winnt/system32/cmd.exe
That looks like Nimda:
http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html
Something like the following location matches might help:
<LocationMatch .*cmd.exe>
SetHandler drop-handler
</LocationMatch>
<LocationMatch .*root.exe>
SetHandler drop-handler
</LocationMatch>
<LocationMatch /scripts/\.\.>
SetHandler drop-handler
</LocationMatch>
<LocationMatch /MSADC/[Arc]>
SetHandler drop-handler
</LocationMatch>
<LocationMatch /msadc/[\.Arc]>
SetHandler drop-handler
</LocationMatch>
<LocationMatch /c/winnt>
SetHandler drop-handler
</LocationMatch>
<LocationMatch /d/winnt>
SetHandler drop-handler
</LocationMatch>
Will.
--
*claw claw* *fang*
*shred* *rip* *ad hominem* *slash*
(more attacks will require consultancy fees.)
-Nix.
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list