Mailinglist Archive: opensuse (3644 mails)

< Previous Next >
Re: [SLE] web log
  • From: Jon Clausen <dsl23212@xxxxxxxxxxxxxxxx>
  • Date: Wed, 13 Mar 2002 16:54:49 +0100
  • Message-id: <20020313155450.111E915FD10@xxxxxxxxxxxxxxxxxxxx>
On Wednesday 13 March 2002 13:44, Landy Roman wrote:
BTW nobody commented on these?

Yeah. We did ;)

This is nimda:

u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u
0000%u00=a HTTP/1.0" 400 331 64.133.27.115 - - [12/Mar/2002:10:23:19
-0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - -
[12/Mar/2002:10:23:20 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 401 476

<snipped some>

Nimda comes in 'bursts' of 16 requests.
2 of these are for 'bladabla/root.exe' 14 are for 'bladabla/cmd.exe'.

I'm currently working on a perl script, that will read the separate
'bad_requests' log, categorize the different attacks (+times and IP numbers)
and stuff that info into a MySQL database. Later I want to expand that whole
thing to make/keep an updated 'blacklist' of 'Bad Hosts'.

In the fullness of time this data is going to serve two purposes:

1: Any host on the blacklist will be denied any access to this server. Except
for _legitimate_ browser-requests, which will be met with just one page
explaining *why* access is denied, plus a, dynamically generated, summary of
attacks originating from that host.

2: It will be made public, in the form of a summary of the number of attacks,
and the times of occurance.

Probably tons of similar apps are already out there, but it's a learning
experience for me to write this stuff up. ;)

Also I've seen a lot of rpc and printer (among others) connection attempts in
the firewall log, lately, and as soon as I figure out how to get that stuff
logged on the main server, that stuff is going into the Bad Hosts database as
well. With the same response as mentioned above.

FYI *this* is code red:

61.182.248.223 - - [12/Mar/2002:07:47:44 -0500] "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%
u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u
0000%u00=a HTTP/1.0" 400 331

any idea why the return code was 400 and not 404?

Apache decided that these were bad requests, instead of simply 'not there'
(?) What makes Apache respond with 401 (Authentication required) on *some* of
this, though, is beyond me...

Oh yeah. This is a very small site with not much traffic, so we can afford
the overhead of all this processing... ;)

< Previous Next >
Follow Ups