On Tue, 12 Mar 2002 18:39:26 -0500 Keith Winston wrote:

On Tue, Mar 12, 2002 at 06:19:04PM -0500, Landy Roman wrote:

...

i saw these entries in my weblog anything i can do against this

[snip]

...

You are being attacked by a Code Red infected Windows server. Since you are running Apache, you are immune, except to the bandwidth and CPU waste. If it is a persistant problem from the same server, you can track down the owner and let them know to patch or take their server offline.

i just read that in order to deal with the cpu waste one can create a empty file default.ida in the root server....FYI

On Wednesday 13 March 2002 00:46, James Bliss wrote:

This is the Code Red / Nimda attack signatures. You can just ignore them

I do not think there is a way to keep them out of the log, on the security list they went around on this and I do not remember any specific resolution which would keep them out of the log files. (anyone know of a way to avoid logging these entries?)

I did this, but that was to *move* them to a different log. Easily adaptable to just ignore: In /etc/http/httpd.conf around line 700: SetEnvIf Request_URI "root.exe" bad_req SetEnvIf Request_URI "cmd.exe" bad_req SetEnvIf Request_URI "default.ida" bad_req Which tells apache to lookout for those kinds of requests, and set the variable bad_req around line 740: CustomLog /var/log/httpd/access_log common env=!bad_req CustomLog /var/log/httpd/bad_requests "%h %t \"%r\"" env=bad_req Which tells apache to log everything BUT (env=!bad_req) as usual in access_log. And everything (=bad_req) to the file bad_requests in the format of: HOST-IP [time] "bad-string" I put the stuff where I put it, because I'm no apache-wizard, but it seemed about right. It can't be all wrong, 'cause it works very nicely :) If you don't care to log these attacks, then just adding the "env=!bad_req" to the regular log-line should suffice, but you still have to set up that variable (obviously) In my case I let the two logs run run side-by-side for a while, before adding that statement to the access_log-line, just to be sure that I didn't lose anything. If anyone sees something terribly wrong with this setup, please let me know ;) Jon

On Wed, 13 Mar 2002 08:20:18 +0100 Anders Johansson wrote:

On Wednesday 13 March 2002 00.46, James Bliss wrote:

...

This is the Code Red / Nimda attack signatures. You can just ignore them since you are not at risk. I know, they really clutter up the logs though.

I do not think there is a way to keep them out of the log, on the security list they went around on this and I do not remember any specific resolution which would keep them out of the log files. (anyone know of a way to avoid logging these entries?)

This is included in SuSE's official 2.4.16 kernel. Don't know about 2.4.10

iptables -I INPUT -j DROP -m string -p tcp -s 0.0.0.0/0 --dport 80 --string "default.ida"

(Adjust the string to suit other virus patterns). This will drop the attempt at the firewall level, before it ever gets to your apache.

//Anders

-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com

any idea why the return code was 400 and not 404?

On Wednesday 13 March 2002 13:44, Landy Roman wrote:

BTW nobody commented on these?

Yeah. We did ;) This is nimda:

u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u 0000%u00=a HTTP/1.0" 400 331 64.133.27.115 - - [12/Mar/2002:10:23:19 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:20 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 401 476

<snipped some> Nimda comes in 'bursts' of 16 requests. 2 of these are for 'bladabla/root.exe' 14 are for 'bladabla/cmd.exe'. I'm currently working on a perl script, that will read the separate 'bad_requests' log, categorize the different attacks (+times and IP numbers) and stuff that info into a MySQL database. Later I want to expand that whole thing to make/keep an updated 'blacklist' of 'Bad Hosts'. In the fullness of time this data is going to serve two purposes: 1: Any host on the blacklist will be denied any access to this server. Except for _legitimate_ browser-requests, which will be met with just one page explaining *why* access is denied, plus a, dynamically generated, summary of attacks originating from that host. 2: It will be made public, in the form of a summary of the number of attacks, and the times of occurance. Probably tons of similar apps are already out there, but it's a learning experience for me to write this stuff up. ;) Also I've seen a lot of rpc and printer (among others) connection attempts in the firewall log, lately, and as soon as I figure out how to get that stuff logged on the main server, that stuff is going into the Bad Hosts database as well. With the same response as mentioned above. FYI *this* is code red: 61.182.248.223 - - [12/Mar/2002:07:47:44 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090% u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u 0000%u00=a HTTP/1.0" 400 331

any idea why the return code was 400 and not 404?

Apache decided that these were bad requests, instead of simply 'not there' (?) What makes Apache respond with 401 (Authentication required) on *some* of this, though, is beyond me... Oh yeah. This is a very small site with not much traffic, so we can afford the overhead of all this processing... ;)

On Wed, Mar 13, 2002 at 07:54:52PM +0100, Anders Johansson wrote:

On Wednesday 13 March 2002 16.54, Jon Clausen wrote:

...

On Wednesday 13 March 2002 13:44, Landy Roman wrote:

Did anyone else have problems with the last two mails in this thread from Landy Roman, and the one from Jon Clausen?

They appeared to come though fine on my machine. Regards, Keith -- LPIC-2, MSCE, N+ you may say I'm a dreamer, but I'm not the only one Got spam? Get SPASTIC http://spastic.sourceforge.net

On Wednesday 13 March 2002 13:44, Landy Roman wrote:

BTW nobody commented on these?

u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u 0000%u00=a HTTP/1.0" 400 331 64.133.27.115 - - [12/Mar/2002:10:23:19 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:20 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:20 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:20 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:20 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:21 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:21 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:21 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt /system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - -

How's this? (Yet another Attempt at Reproducing Anders' mail problem)

On Wednesday 13 March 2002 21:19, Anders Johansson wrote:

On Wednesday 13 March 2002 21.13, Jon Clausen wrote:

...

How's this? (Yet another Attempt at Reproducing Anders' mail problem)

Yes, this reproduced the problem. popper and imapd *refuses* to read the mail.

Are they susceptible to code red? :) I don't get it. I cannot see anything wrong with these mails, and kmail - when reading straight from a file - reads them without problems.

Is there anyone else out there using popper and/or imapd (not cyrus, the one in imapd.rpm) that sees this problem too?

This is getting to be really strange... The part where kmail will read it from a file with no problem, but refuses to have anything to do with it, if it's in the spool... What's (or rather: is *that*) the difference? Look out Anders! I'm gonna send you a mail off-list containing the codered-string, as seen in Landy's mail... Just to try and narrow it down a bit. (to see if it has anything to do with the stuff passing thru the list...)

On Wed, Mar 13, 2002 at 09:13:02PM +0100, Jon Clausen beat on the keyboard:

On Wednesday 13 March 2002 13:44, Landy Roman wrote:

...

BTW nobody commented on these?

u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u 0000%u00=a HTTP/1.0" 400 331 64.133.27.115 - - [12/Mar/2002:10:23:19 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:20 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:20 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:20 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:20 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:21 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:21 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:21 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt /system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - -

How's this? (Yet another Attempt at Reproducing Anders' mail problem)

-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com That is someone infected with virus. If you use a smbclient you can log onto the machine 50% percent of the time :)

-- _ _ __ _____ _____ ___| |_ | '__| / __\ \ /\ / / _ \/ _ \ __| -o) | | _ \__ \\ V V / __/ __/ |_ /\\ |_|(_) |___/ \_/\_/ \___|\___|\__|_\_v rsweet@garagenetworks.net "unix soit qui mal y pense."