[Scottish] [OT] Strange Apache Log Entries - Can Anyone Identify ?

Jim Jarvie scottish at mailman.lug.org.uk
Mon May 19 18:10:00 2003


I've been checking a friends web site logs (apache, obviously) which has=
=20
EarlyBird installed to catch the Nimda/Code Red IIS worms and mail an=20
auto-complaint to the offenders.

However, a new entry has appeared since last week which I've been unable=
=20
to identify and which EarlyBird ignores.  Save from a single mention on =

the Dshield mailing list which never actually identified the cause  I=20
can't find any information to suggest what is happening.  These requests=
=20
have never been seen in the logs before 15 May, tailed off dramatically =

at the weekend (i.e. Whatever was switched off ?) and have come back=20
big-time today (presumable, switched back on on (!) Monday morning).

The fingerprint looks very much like a similar worm to Code Red/Nimda,=20
being a suspected buffer overflow attack.  The sources (which I've=20
included to expose the guilty) are a variety of non-responding sites or =

sites with place-holders etc.  Basically, they don't look like they are =

supposed to be originating traffic and this is some form of unintended=20
web browsing...

Before I embarrass several people, including myself, by patching=20
EarlyBird to complain about these requests, does anyone have an=20
explanation or have you seen anything similar ?

The gory [log] details :

218.145.25.43 - - [15/May/2003:11:44:09 +0100] "GET=20
/stream?m=3DxhIrB2We0im0f3000000000000000000000000007STOQ300000010000G00=
SC
NQcfpBlOZDk8JDmuICuWZBu4ZEu0pBoa3Ej430800Lo43Ek43DruYCru2DrqYDnuoDpu2Esu=

ICp8ZEu03BWKLL9HKFm8KH2DKGtCJGpCJDq8aDnWJE51ZDnGpG1HKH693DtCKBs4ZBtCZBuO=

ZBnCZCwW3C HTTP/1.0" 404 274
dchsp180.31.pris.ca - - [15/May/2003:11:55:15 +0100] "GET=20
/stream?m=3DxhIrB2Wh0Sm0f3000000000000000000000000000u8fsp21jVgFxsMq0000=
00
00100010010inSfPcElyYDsuYCr0ZBnW3EkSZEu0pBp43Ej43080mLo03Ek43EnuICu0ZBp4=

JBnaZCk4ZDuu2Ck4ZDme3Emm28LLLI4rZGu8JC5P3DtOJGpW3DvC3Hv44Hoa3CqC3CnW3HoC=

3DsqICv8ZBnO3Ek0ZBnO3CwW3C HTTP/1.1" 404 286
204.83.248.23 - - [15/May/2003:13:20:18 +0100] "GET=20
/stream?m=3DxhIrB2me0im0f300000000000000000000000000QTDu3300000010000G00=
RC
NQcfpBlOZDk8JDmuICuWZBte3EmyoCnWJBn0020ObCmGZBuCZBoG3Ek8pCj4JEouICsWZBnu=

ICn4ZEu03BWKLL9HKF2XZCqGZD4LKCu0JHq03C65qGr8qD513Cra3C4DKE1LJBnaZCk4ZDuu=

ICk4JCne3Em0 HTTP/1.1" 404 286
209.128.30.202 - - [15/May/2003:14:57:11 +0100] "GET=20
/stream?m=3DxhIrB2Wf0im0f300000000000000000000000000uJzVX200000010000G00=
RC
NQcfpBlOZDk8JDmuICuWZBte3EmyoCnWJBn0020abCmaZBn83EkC3Ck83CoqICt8ZBnOZBnC=

3Dk43Cqe3Emm28LLLI4rZHrGJCp4qGnOaGvKJCnGaDvWJHn03C213Hm43DsKqD3rICt8ZBnO=

ZBnC3Dk43Cqe3Em0 HTTP/1.1" 404 286
208.181.190.89 - - [15/May/2003:15:42:36 +0100] "GET=20
/stream?m=3DxhIrB20e0im0f300000000000000000000000000DKWM@000000010000G00=
RC
NQcfpBlOZDk8JDmuICuWZBte3EmyoCnWJBn0020CbCmWZBnWJCk4JEmu2EvqICv8ZBnO3Ek8=

ZBse3Emm28LLLI4rJErKJCtSZGtGqD3T3D1bZDvO3Hu43C5b3H61JHsCKGmqICv8ZBnO3Ek8=

ZBse3Em0 HTTP/1.1" 404 286
204.118.118.194 - - [15/May/2003:16:01:21 +0100] "GET=20
/stream?m=3DxhIrB2me0Sm0f3000000000000000000000000000uO_DAn9tSjFxc7Z0000=
00
00100010010inSfPcElyYDsuYCr0ZBnW3EkSZEu0pBp43Ej430800Jo03Dk4JCuuICnWZBna=

3DwW3Ci0ILLb4Hz43D5LpDn4qCt4ZC4HpDmGKG5HpDqKqG153H4HaGqCqGj83CquICnWZBn4=

3Ek4JEqe3Em0 HTTP/1.1" 404 286
208-142-210-1.jdedwards.com - - [15/May/2003:16:10:23 +0100] "GET=20
/stream?m=3DxhIrB2Gd0im0f300000000000000000000000000FDggy300000010000G00=
RC
NQcfpBlOZDk8JDmuICuWZBte3EmyoCnWJBn00200bCmWZBnGZCk8JCmuICj43Ck0ZBuSZBua=

ZEu03BWKLL9HKF2X3E4P4EmO4Dva3Dq8KGn4aGrKqCqCJE3LpC1PKHraJBn0ZBmu2Etu2Eve=

3Em0 HTTP/1.1" 404 286
167.129.240.10 - - [16/May/2003:09:09:10 +0100] "GET=20
/stream?m=3DxhIrB20i0Sm0f300000000000000000000000000009SYSM85DeFxU@x0000=
00
00100010010inSfPcElyYDsuYCr0ZBnW3EkSZEu0pBp43Ej43080GMnOpDk4ZCvuYCq0ZBn0=

JBnOpDk4ZCvuICp0ZBs0ZEu03BWKLL9HKFrGKHp03CvGKDqWZHqGaCmWZDrO3Do44DqaZHv8=

qDt8KBnOpDk4ZCvuICp0ZBs0ZEu03 HTTP/1.0" 404 274
204.201.200.61 - - [16/May/2003:11:06:58 +0100] "GET=20
/stream?m=3DxhIrB2Wi0Sm0f30000000000000000000000000000fcY@VKZniFxs@B0000=
00
00100010010inSfPcElyYDsuYCr0ZBnW3EkSZEu0pBp43Ej43080mMo03Dk83CnuYCm0ZBs4=

JBnaZCk4ZDuuICo0ZBnKZCwW3Ci0ILLb4Hz4JHs8ZDpGZHuGZHrGpCuSZGtKJHmCqDqGKCq4=

ZH1DpGj4JEouICsWZBn83Ck4JDoe3Em0 HTTP/1.1" 404 286
h24-84-67-85.vc.shawcable.net - - [16/May/2003:14:58:00 +0100] "GET=20
/stream?m=3DxhIrB2Ga0im0f3000000000000000000000000008G3jC100000010000G00=
RC
NQcfpBlOZDk8JDmuICuWZBte3EmyoCnWJBn0020GaCqu2EquYDtu2Ere3Emm28LLLI4r3C41=

3H6LqDqOqGmW3DqGZDvOZDpCpGmaZGr8KGrGZGmqYCqu2EquYDtu2Ere3Em0 HTTP/1.1"=20
404 286
213-84-121-156.adsl.xs4all.nl - - [19/May/2003:09:06:55 +0100] "GET=20
/stream?m=3DxhIrB2Wh0Sm0f3000000000000000000000000000G8@22btNvgF7VQN0000=
00
00100010010inSfPcElyYDsuYCr0ZBnW3EkSZEu0pBp43Ej43080mLo4pCkW3Dk4ZCnuICrO=

JBnaZCk4ZDuuICk4ZDne3Emm28LLLI4rZDtSJE6HZCvCJGmO4DoSJE25qG25KC2LqD653DrW=

pD1rICv8ZBnO3Ek4ZBnOJCwW3C HTTP/1.1" 404 286
202.4.192.50 - - [19/May/2003:11:12:30 +0100] "GET=20
/stream?m=3DxhIrB2Wc0im0f300000000000000000000000000Y@@6v100000010000G00=
RC
NQcfpBlOZDk8JDmuICuWZBte3EmyoCnWJBn0020qaCm8ZBquICv8ZBr0JBn0ZBnuYCkG3CwW=

3Ci0ILLb4HzOqD45ZH5bpDpCpG2H3Hv83E41ZGoKqC1LKDnCKCtO3Cj43Ck4ZBou2Dme3Em0=
=20
HTTP/1.1" 404 286
213-84-121-156.adsl.xs4all.nl - - [19/May/2003:11:24:28 +0100] "GET=20
/stream?m=3DxhIrB20f0im0f300000000000000000000000000jgogm300000010000G00=
RC
NQcfpBlOZDk8JDmuICuWZBte3EmyoCnWJBn0020SbCnCZBuGZBn8JCk4JDsqICv8ZBnO3Ek4=

ZBnOJCwW3Ci0ILLb4HzOpDtaZHq8JEp44C6HZCtaZG1DaG15ZG5TZHnGJDuSJGj4JEouICsW=

ZBnuICs4ZEu03 HTTP/1.1" 404 286
tiger00.pica.army.mil - - [19/May/2003:11:42:03 +0100] "GET=20
/stream?m=3DxhIrB2Gb0im0f30000000000000000000000000090oLu100000010000G00=
RC
NQcfpBlOZDk8JDmuICuWZBte3EmyoCnWJBn0020WKCoaZBnCJEkC3DkO3CwW3Ci0ILLb4HzO=

3HqOJEu0JCmaZCo4JC4TJGna3Em0pGmGZHoKpCu4ZHj4ZCvuICpaZBpGZBs0ZEu03=20
HTTP/1.1" 404 286
202.4.192.50 - - [19/May/2003:11:56:27 +0100] "GET=20
/stream?m=3DxhIrB20f0Sm0f3000000000000000000000000000KODVgEkoUbF7dAu0000=
00
00100010010inSfPcElyYDsuYCr0ZBnW3EkSZEu0pBp43Ej43080GJo0ZCkGZBnaZCkK3Cj4=

3Ck4ZBou2Dme3Emm28LLLI4rZHtGKC6LKEtCpC394D4bZCuG4C29JHp4KHr4pGnSZDmqICmu=

ICk8ZBq0ZEu03 HTTP/1.1" 404 286
213-84-121-156.adsl.xs4all.nl - - [19/May/2003:12:16:01 +0100] "GET=20
/stream?m=3DxhIrB2Wh0Sm0f3000000000000000000000000000K8FI2US5gcF7hQD0000=
00
00100010010inSfPcElyYDsuYCr0ZBnW3EkSZEu0pBp43Ej43080mLo4pCkW3Dk4ZCnuICrO=

JBnaZCk4ZDuuICk4ZDne3Emm28LLLI4rZDtSJE6HZCvCJGmO4DoSJE25qG25KC2LqD653DrW=

pD1rICv8ZBnO3Ek4ZBnOJCwW3C HTTP/1.1" 404 286
32.97.110.72 - - [19/May/2003:12:17:29 +0100] "GET=20
/stream?m=3DxhIrB2Wd0im0f300000000000000000000000000YKC8O200000010000G00=
RC
NQcfpBlOZDk8JDmuICuWZBte3EmyoCnWJBn00204rCouIEtuICn0ZBt8JBvu2EvuIDnuYCoG=

ZEu03BWKLL9HKF1PKHuG4HoGaCtWpGqCZHp4KCmCKH6DKHuaZG29KHpOKBvu2EvuIDnuYCoG=

ZEu03 HTTP/1.1" 404 286
user.suncor-osg.com - - [19/May/2003:12:18:47 +0100] "GET=20
/stream?m=3DxhIrB2Ge0im0f300000000000000000000000000TSyKT100000010000G00=
RC
NQcfpBlOZDk8JDmuICuWZBte3EmyoCnWJBn0020GLCvaZBuKZBvuYCmqICt8ZBnOZBnCZCkK=

3DwW3Ci0ILLb4Hz4qCoCaHrKpGoCaGqGpC5P3EtapCnaJCrOqDo4JCqKJGj4pDouICsuICp8=

ZBrGZEu03 HTTP/1.0" 404 274
167.129.240.10 - - [19/May/2003:12:23:05 +0100] "GET=20
/stream?m=3DxhIrB2Wf0im0f300000000000000000000000000H0Ut4200000010000G00=
RC
NQcfpBlOZDk8JDmuICuWZBte3EmyoCnWJBn0020aLCsSZBn8JEk83DmuICmqICsSZBn8JEk4=

pCmuYDme3Emm28LLLI4rJD4LqCm0JE4L3DuO4D493CuOJDsGZC1H3DvOKE2TpD2rICsSZBn8=

JEk4pCmuYDme3Em0 HTTP/1.0" 404 274
user.suncor-osg.com - - [19/May/2003:15:40:40 +0100] "GET=20
/stream?m=3DxhIrB2me0im0f300000000000000000000000000Em4LR100000010000G00=
RC
NQcfpBlOZDk8JDmuICuWZBte3EmyoCnWJBn0020OLCvaZBuKZBvuYCmqICt8ZBnOZBn83Ek8=

JCoe3Emm28LLLI4rZH2DpDpK3Hn4pD2X3D4PpCvS3DraZC6PJCoCKHpOaH1rICt8ZBnOZBn8=

3Ek8JCoe3Em0 HTTP/1.0" 404 274

Any clues or suggestions will be gratefully received.

Jim