hello I set up apache web server that came with Suse8.2, and the next day got several similar lines in my /var/log/httpd/access_log: -- 193.220.30.35 - - [22/May/2003:14:13:16 +0200] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 281 193.194.67.45 - - [22/May/2003:14:14:14 +0200] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 281 207.33.111.37 - - [14/May/2003:14:03:55 +0200] "HEAD /cgi-bin/ws_ftp.ini HTTP/1.0" 404 0 207.33.111.37 - - [14/May/2003:14:03:56 +0200] "HEAD /WS_FTP.ini HTTP/1.0" 404 0 207.33.111.37 - - [14/May/2003:14:03:56 +0200] "HEAD /cgi-bin/WS_FTP.ini HTTP/1.0" 404 0 207.33.111.37 - - [14/May/2003:14:03:57 +0200] "HEAD /cgi-bin/ax-admin.cgi HTTP/1.0" 404 0 207.33.111.37 - - [14/May/2003:14:03:57 +0200] "HEAD /cgi-bin/axs.cgi HTTP/1.0" 404 0 2 Are these possible intruder attacks ? Regards, himba --- This mail was Kmailed.
* himbA;
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 281
207.33.111.37 - - [14/May/2003:14:03:55 +0200] "HEAD /cgi-bin/ws_ftp.ini HTTP/1.0" 404 0 207.33.111.37 - - [14/May/2003:14:03:56 +0200] "HEAD /WS_FTP.ini HTTP/1.0" 404 0 207.33.111.37 - - [14/May/2003:14:03:56 +0200] "HEAD /cgi-bin/WS_FTP.ini HTTP/1.0" 404 0 207.33.111.37 - - [14/May/2003:14:03:57 +0200] "HEAD /cgi-bin/ax-admin.cgi HTTP/1.0" 404 0 207.33.111.37 - - [14/May/2003:14:03:57 +0200] "HEAD /cgi-bin/axs.cgi HTTP/1.0" 404 0 2
Are these possible intruder attacks ? They are most probably some script kiddie playing around looking for any vulnerabilities they may have find. The reality is when you have a webserver publicly available then these logs will come someday
have a look at http://susefaq.sourceforge.net/apachequestions.html If you have real concern then consider placing your server in a DMZ and run it chrooted ( not that it gives 100 % guarantee yet makes you feel safer ) -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
Well my server will be public after I setup DNS and email account for my users... It is a small server for web page and email accounts. I would decide to put it in DMZ, since I'm running DNS aswell, but then again I have also mail server and users mailbox on that machine... I guess transfering mailboxes to another machine inside LAN would do it! Securita! Thank you for your replys, :) regards ,himba Dne petek 23. maja 2003 00:14 je Togan Muftuoglu napisal(a):
* himbA;
on 23 May, 2003 wrote: /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u685 8%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000% u00=a HTTP/1.0" 404 281
207.33.111.37 - - [14/May/2003:14:03:55 +0200] "HEAD /cgi-bin/ws_ftp.ini HTTP/1.0" 404 0 207.33.111.37 - - [14/May/2003:14:03:56 +0200] "HEAD /WS_FTP.ini HTTP/1.0" 404 0 207.33.111.37 - - [14/May/2003:14:03:56 +0200] "HEAD /cgi-bin/WS_FTP.ini HTTP/1.0" 404 0 207.33.111.37 - - [14/May/2003:14:03:57 +0200] "HEAD /cgi-bin/ax-admin.cgi HTTP/1.0" 404 0 207.33.111.37 - - [14/May/2003:14:03:57 +0200] "HEAD /cgi-bin/axs.cgi HTTP/1.0" 404 0 2
Are these possible intruder attacks ?
They are most probably some script kiddie playing around looking for any vulnerabilities they may have find. The reality is when you have a webserver publicly available then these logs will come someday
have a look at http://susefaq.sourceforge.net/apachequestions.html
If you have real concern then consider placing your server in a DMZ and run it chrooted ( not that it gives 100 % guarantee yet makes you feel safer )
--
Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
-- This mail was Kmailed.
On Friday 23 May 2003 00:03, himbA wrote:
-- 193.220.30.35 - - [22/May/2003:14:13:16 +0200] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3 %u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 281
It's an "old" exploit against Microsoft IIS servers, as far as I know. Googling gives gives many references. Here are a couple : http://www.birdhouse.org/blog/archives/000114.php http://www.apacheweek.com/features/codered Before we gloat too much there are more recent exploits targeting SSL. One of the exploits tools actually contains a Linux virus, which I'm sure the script kiddies will appreciate the irony of:-) And as far as I can read, Windows are immune to this exploit (or at least not tested be the exploit tools). In the logs you'll see something like "GET /sumthin HTTP/1.0" 404 201 The exploit uses this (by parsing the error page returned) to check which version of Apache is run on the server and thus might be vunerable to the SSL exploit, assuming you got https running. Check out the two references in : http://archives.neohapsis.com/archives/incidents/2003-04/0052.html Cheers, Sigfred.
* himbA
I set up apache web server that came with Suse8.2, and the next day got several similar lines in my /var/log/httpd/access_log:
-- 193.220.30.35 - - [22/May/2003:14:13:16 +0200] "GET /default.ida?XXXXXX HTTP/1.0" 404 281 193.194.67.45 - - [22/May/2003:14:14:14 +0200] "GET /default.ida?XXXXXX HTTP/1.0" 404 281 [ some snipping ]
Probably CodeRed/Nimda attacks from a whinedohs user who doesn't even know he is infected. The 404 code indicates that your machine dis-allowed access. When you tire of the notices, your KDE Help Center -> SuSEFAQ -> Unofficial SuSE FAQ -> Apache Related Questions -> 5. How to get rid of unwanted error messages: Edit /etc/httpd/httpd.conf SetEnvIf Request_URI "root.exe|cmd.exe|default.ida" bad-req ErrorLog /var/log/httpd/faq_error.log CustomLog /var/log/httpd/faq_acces.log combined env=!bad-req The error messages are tiresome but harmless, AFAICT. gud luk, -- Patrick Shanahan Please avoid TOFU and trim >quotes< http://wahoo.no-ip.org Registered Linux User #207535 icq#173753138 @ http://counter.li.org Linux, a continuous *learning* experience
participants (4)
-
himbA
-
Patrick Shanahan
-
Sigfred Håversen
-
Togan Muftuoglu