[Gllug] Re: [Gllug] Apache Logs
Xander D Harkness
xander at harkness.co.uk
Tue Jan 15 17:59:36 UTC 2002
> t.clarke wrote:
>
>> ---------------------------------------
>> Message from:-
>> Tim Clarke (tim at seacon.co.uk)
>> Seacon Holdings plc Group, London, U.K.
>> Telephone: +44 (0)1474 320000
>> Fax: +44 (0)1474 329946
>> ---------------------------------------
>>
>> Hi
>>
>> Firstly, sorry, the 'TCP' message was sent in error - this was an old
>> throw-away message-file I sent in error !
>>
>> The real message:-
>> ----------------
>>
>>
>> I am hoping someone can throw some light on the following messages
>> which are appearing horribly regularly in our Apache error_log, from
>> various IP addresses (although the samples below are all within a few
>> minutes and from the same IP address shown).
>>
>> I presume somebody is attempting to use some kind of 'backdoor; to get
>> control of the machine upon which our apache server runs (Linux, of
>> course !!). I also presume/hope that no damage is being done, other
>> than filing up our log-files !
>>
>> Questions:
>>
>> 1) Is it realistic/possible to do a reverse look-up on the IP address
>> and fire off a suitable email to the ISP/organisation that 'owns' it
>> ??
>>
>> 2) Since most of the non-existent files seem to be within winnt and
>> scripts sub-directories, can I get apache to do something like
>> re-direct to a suitable 'buggar-off' web page after a 60-second 'wait?
>>
>> 3) If the requests can be pinned down to a limited range of IP
>> addresses, would it be realistic to simply DENY them within the filter
>> rules ?
>>
>>
>> Any helpful comments appreciated.
>>
>> Regards
>>
>> Tim
>>
>> ----
>>
>>
>>
>>
>>
>> [Tue Jan 15 15:47:30 2002] [error] [client 195.24.198.7]
>> File does not exist: /usr/local/apache/htdocs/
>>
>> usr/local/apache/htdocs/scripts/root.exe
>> MSADC/root.exe
>> c/winnt/system32/cmd.exe
>> d/winnt/system32/cmd.exe
>> scripts/..%5c../winnt/system32/cmd.exe
>> _vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
>> _mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
>> msadc/..%5c../..%5c../..%5c/..../..../..../winnt/system32/cmd.exe
>> scripts/..../winnt/system32/cmd.exe
>> scripts/..../winnt/system32/cmd.exe
>> scripts/..../winnt/system32/cmd.exe
>> scripts/..%5c../winnt/system32/cmd.exe
>> scripts/..%2f../winnt/system32/cmd.exe
>
>
> That looks like Nimda:
>
> http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html
>
> Something like the following location matches might help:
>
>
> <LocationMatch .*cmd.exe>
> SetHandler drop-handler
> </LocationMatch>
>
>
> <LocationMatch .*root.exe>
> SetHandler drop-handler
> </LocationMatch>
>
>
> <LocationMatch /scripts/\.\.>
> SetHandler drop-handler
> </LocationMatch>
>
>
> <LocationMatch /MSADC/[Arc]>
> SetHandler drop-handler
> </LocationMatch>
>
>
> <LocationMatch /msadc/[\.Arc]>
> SetHandler drop-handler
> </LocationMatch>
>
>
> <LocationMatch /c/winnt>
> SetHandler drop-handler
> </LocationMatch>
>
>
> <LocationMatch /d/winnt>
> SetHandler drop-handler
> </LocationMatch>
>
>
> Will.
>
I was told that rather than send this back to the originators dnuk.com have
modified apache to refer all such requests to http://www.microsoft.com
Now if everyone did that they might think about fixing their errors a little
faster :-)
Cheers
Xander
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list