Re: [SLE] /var/log/httpd/access_log & error_log

25 Sep 2001


      yep
that's the evil codred virus
you'll find variants of it as well

i believe it's codered that's requesting "default.ida"
and nimda that's looking for "root.exe"

i wrote a cron-perlscript to toast it all:


#!/usr/bin/perl -w

my @coderedeffect = ("/path/to/log/file/access.log",
"/path/to/error/log/error.log");

for (my $x = 0; $x <= 1; $x++) {
  open (CODERED, "$coderedeffect[$x]") or die "can't open $coderedeffect[$x]
- $!";

  my @coderedfile = <CODERED>;
  $coderedloop = scalar(@coderedfile) - 1;

  for (my $y = 0; $y <= $coderedloop; $y++) {
    if ($coderedfile[$y] =~ m/default\.ida/g || $coderedfile[$y] =~
m/\.exe/g) {
      $coderedfile[$y] = "";
    }
  }

  close (CODERED) or die "can't close $coderedeffect[$x] - $!";


  open (CODERED, ">$coderedeffect[$x]") or die "can't open for writing
$coderedeffect[$x] - $!";

  for (my $y = 0; $y <= $coderedloop; $y++) {
    print CODERED $coderedfile[$y];
  }

  close (CODERED) or die "can't close $coderedeffect[$x] - $!";

}
...
From: "Brandon Caudle" 
Date: Tue, 25 Sep 2001 18:56:23 -0400
To: 
Subject: [SLE] /var/log/httpd/access_log & error_log
<!--StartFragment-->64.226.247.96 - - [15/Sep/2001:09:19:49 -0400] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u909
0%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0
000%u00=a  HTTP/1.0" 404 389
What in the world is this?
This error appears every 30 minutes and most appear to come from 64.XXX
<!--StartFragment-->64.173.193.7 - - [18/Sep/2001:09:41:36 -0400] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
stem32/cmd.exe?/c+dir HTTP/1.0" 404 325
<!--StartFragment-->64.243.113.2 - - [18/Sep/2001:09:54:26 -0400] "GET
/MSADC/root.exe?/c+dir HTTP/1.0" 404 268
Is this some MS crap? The code red virus?
Thanks
Brandon Caudle
-- 
To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com
For additional commands send e-mail to suse-linux-e-help@suse.com
Also check the FAQ at http://www.suse.com/support/faq and the
archives at http://lists.suse.com

Re: [SLE] /var/log/httpd/access_log & error_log

gabriel