On Wednesday 13 March 2002 13:44, Landy Roman wrote:
BTW nobody commented on these?
Yeah. We did ;) This is nimda:
u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u 0000%u00=a HTTP/1.0" 400 331 64.133.27.115 - - [12/Mar/2002:10:23:19 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:20 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 401 476
<snipped some> Nimda comes in 'bursts' of 16 requests. 2 of these are for 'bladabla/root.exe' 14 are for 'bladabla/cmd.exe'. I'm currently working on a perl script, that will read the separate 'bad_requests' log, categorize the different attacks (+times and IP numbers) and stuff that info into a MySQL database. Later I want to expand that whole thing to make/keep an updated 'blacklist' of 'Bad Hosts'. In the fullness of time this data is going to serve two purposes: 1: Any host on the blacklist will be denied any access to this server. Except for _legitimate_ browser-requests, which will be met with just one page explaining *why* access is denied, plus a, dynamically generated, summary of attacks originating from that host. 2: It will be made public, in the form of a summary of the number of attacks, and the times of occurance. Probably tons of similar apps are already out there, but it's a learning experience for me to write this stuff up. ;) Also I've seen a lot of rpc and printer (among others) connection attempts in the firewall log, lately, and as soon as I figure out how to get that stuff logged on the main server, that stuff is going into the Bad Hosts database as well. With the same response as mentioned above. FYI *this* is code red: 61.182.248.223 - - [12/Mar/2002:07:47:44 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090% u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u 0000%u00=a HTTP/1.0" 400 331
any idea why the return code was 400 and not 404?
Apache decided that these were bad requests, instead of simply 'not there' (?) What makes Apache respond with 401 (Authentication required) on *some* of this, though, is beyond me... Oh yeah. This is a very small site with not much traffic, so we can afford the overhead of all this processing... ;)