|
Home > Archive > Web Servers on Unix and Linux > May 2004 > Attack?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| Trent Curry 2004-04-23, 1:37 am |
| I was going through our access_log on our apache server running on
linux, and came across this. I've yet to see an entry like this:
64.165.18.245 - - [22/Apr/2004:19:07:12 -0700] "SEARCH
/ \x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02
\xb1\x02\xb1\x02\xb1\x02\xb1\x0
2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
2\xb1\x02\xb1\x02\xb1\x02\xb1\x0
2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
2\xb1\x02\xb1\x02\xb1\x02\xb1\x0
2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
2\xb1\x02\xb1\x02\xb1\x02\xb1\x0
2\xb1\x02\xb1\x02\xb1\
[...A LOT MORE 2 digit hex numbers ...]
\x90\x90\x90" 414 335 "-" "-"
64.164.119.146 - - [22/Apr/2004:20:08:35 -0700] "SEARCH
/ \x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02
\xb1\x02\xb1\x02\xb1\x02\xb1\x0
2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
2\xb1\x02\xb1\x02\xb1\x02\xb1\x0
2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
2\xb1\x02\xb1\x02\xb1\x02\xb1\x0
2\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9
0\x90\x90\x90\x90\x90\x90\x90\x9
0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9
0\x90\x90\x90\x90\x90\x90\x90\x9
0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9
0\x90\x90\x90\x90\x90\x90\x90\x9
0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9
0\x90\x90\x90\x90\x90\x90\x90\x9
0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9
0\x90\x90\x90\x90\x90\x90\x90\x9
0\x90\x90\x90\x90
[...A LOT MORE 2 digit hex numbers ...]
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90" 414 335
"-" "-"
The host names come back as:
64.165.18.245 : adsl-64-165-18-245.dsl.sndg02.pacbell.net
64.164.119.146 : adsl-64-164-119-146.dsl.mtry01.pacbell.net
(And anyone who knows of spammers will tell you pacbell is big with
spammers and such...)
If I were to copy paste everything it would probably take a couple
hundred lines, wrapped. (There are actually no line breaks in the raw
log entry.)
Obviously the request is a SEARCH instead of a GET, which in itself is
not necissarly a bad thing, but this manner seems to be some sort of
attack.
Can anyone verify this?
--
Trent Curry - trentcurryReMoVe@rEmOvEhotmail.com
| |
| David Efflandt 2004-04-23, 7:36 pm |
| On Thu, 22 Apr 2004, Trent Curry <trentcurryReMoVe@rEmOvEhotmail.com> wrote:
> I was going through our access_log on our apache server running on
> linux, and came across this. I've yet to see an entry like this:
>
> 64.165.18.245 - - [22/Apr/2004:19:07:12 -0700] "SEARCH
> /\x90\x02\xb1\x02\xb1...
>
> Obviously the request is a SEARCH instead of a GET, which in itself is
> not necissarly a bad thing, but this manner seems to be some sort of
> attack.
>
> Can anyone verify this?
It is a IIS WebDAV worm. MS patched it over a year ago, but it seems to
have exploded lately (clueless Windows users failing to do Updates).
--
David Efflandt - All spam ignored http://www.de-srv.com/
| |
| Rusty Wright 2004-04-23, 7:36 pm |
| Why try and verify that it's an attack? It's pointless to try and
deal with them; a new one springs up every few minutes. My access_log
is bursting with entries from various worms that are trying to break
into my web server. I wish I could configure apache so that it
doesn't log all of that crap.
"Trent Curry" <trentcurryReMoVe@rEmOvEhotmail.com> writes:
> I was going through our access_log on our apache server running on
> linux, and came across this. I've yet to see an entry like this:
>
> 64.165.18.245 - - [22/Apr/2004:19:07:12 -0700] "SEARCH
> / \x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02
\xb1\x02\xb1\x02\xb1\x02\xb1\x0
> 2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
2\xb1\x02\xb1\x02\xb1\x02\xb1\x0
> 2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
2\xb1\x02\xb1\x02\xb1\x02\xb1\x0
> 2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
2\xb1\x02\xb1\x02\xb1\x02\xb1\x0
> 2\xb1\x02\xb1\x02\xb1\
> [...A LOT MORE 2 digit hex numbers ...]
> \x90\x90\x90" 414 335 "-" "-"
>
> 64.164.119.146 - - [22/Apr/2004:20:08:35 -0700] "SEARCH
> / \x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02
\xb1\x02\xb1\x02\xb1\x02\xb1\x0
> 2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
2\xb1\x02\xb1\x02\xb1\x02\xb1\x0
> 2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
2\xb1\x02\xb1\x02\xb1\x02\xb1\x0
> 2\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9
0\x90\x90\x90\x90\x90\x90\x90\x9
> 0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9
0\x90\x90\x90\x90\x90\x90\x90\x9
> 0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9
0\x90\x90\x90\x90\x90\x90\x90\x9
> 0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9
0\x90\x90\x90\x90\x90\x90\x90\x9
> 0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9
0\x90\x90\x90\x90\x90\x90\x90\x9
> 0\x90\x90\x90\x90
> [...A LOT MORE 2 digit hex numbers ...]
> \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90" 414 335
> "-" "-"
>
> The host names come back as:
> 64.165.18.245 : adsl-64-165-18-245.dsl.sndg02.pacbell.net
> 64.164.119.146 : adsl-64-164-119-146.dsl.mtry01.pacbell.net
>
> (And anyone who knows of spammers will tell you pacbell is big with
> spammers and such...)
>
>
> If I were to copy paste everything it would probably take a couple
> hundred lines, wrapped. (There are actually no line breaks in the raw
> log entry.)
>
> Obviously the request is a SEARCH instead of a GET, which in itself is
> not necissarly a bad thing, but this manner seems to be some sort of
> attack.
>
> Can anyone verify this?
>
> --
> Trent Curry - trentcurryReMoVe@rEmOvEhotmail.com
| |
| Trent Curry 2004-04-24, 3:34 am |
| Rusty Wright wrote:
> Why try and verify that it's an attack? It's pointless to try and
> deal with them; a new one springs up every few minutes. My access_log
> is bursting with entries from various worms that are trying to break
> into my web server. I wish I could configure apache so that it
> doesn't log all of that crap.
AS do I. But at the same time it's actually assuming since these
windows/iis worms can't damn thing to Apache running on a linux or unix
based system 
I would attempt to count all the security holes in IIS servers but
humans only live so long...
--
Trent Curry - trentcurryReMoVe@rEmOvEhotmail.com
| |
| Trent Curry 2004-04-24, 3:34 am |
| David Efflandt wrote:
> On Thu, 22 Apr 2004, Trent Curry <trentcurryReMoVe@rEmOvEhotmail.com>
> wrote:
>
> It is a IIS WebDAV worm. MS patched it over a year ago, but it seems
> to have exploded lately (clueless Windows users failing to do
> Updates).
Thank you David, I supected as such. I've just never seen this form of
it. I would not be suprised if people (such as those running apache on a
unix based system) start calling it the spam worm or something to that
effect.
If only there were a way to filter these buggers out. I could always
right a PERL script ot process the logs, as the clutter from this is
abslutely abysmal with wod wrapping turned on, spanning endless lines.
Atleast it's somewhat managable with word wrap turned off, which I
suppose is better for log viewing anyways, as each entry will take just
one albiet looooong line.
You know what, I might just write a PERL script to automatically email
abuse@${rootdomain} if it finds garbage like this. Perhaps whip up a
cron job to run this periodically. Perhaps it may help take down a few
of these damn "hackers". Enough is enough.
I'm also wondering if anyone else has atempted this and if so what
result did you have? Is there anyting else to consider here that I may
have missed?
Thanks.
--
Trent Curry - trentcurryReMoVe@rEmOvEhotmail.com
| |
| David Efflandt 2004-04-24, 5:34 am |
| On Fri, 23 Apr 2004, Trent Curry <trentcurryReMoVe@rEmOvEhotmail.com> wrote:
> David Efflandt wrote:
>
> Thank you David, I supected as such. I've just never seen this form of
> it. I would not be suprised if people (such as those running apache on a
> unix based system) start calling it the spam worm or something to that
> effect.
>
> If only there were a way to filter these buggers out...
Since I am using wildcard virtual hosts anyway (dyn IP with dyn DNS), my
worm solution is a nameless default vhost that logs separately and goes
nowhere (1 html, no links). I had to set a bogus ServerName (and
UseCanonicalName off) for the nameless default vhost to work. Any real
user coming to my limited use site should be using on of my set vhost
names.
--
David Efflandt - All spam ignored http://www.de-srv.com/
| |
|
| Trent Curry wrote:
> You know what, I might just write a PERL script to automatically email
> abuse@${rootdomain} if it finds garbage like this. Perhaps whip up a
> cron job to run this periodically. Perhaps it may help take down a few
> of these damn "hackers". Enough is enough.
>
> I'm also wondering if anyone else has atempted this and if so what
> result did you have? Is there anyting else to consider here that I may
> have missed?
I seem to recall something for the Slashdot threads back from with
Codered and Nimda hit the 'Net. One guy wrote a couple scripts to
either act as a honey pot and wait for an infected machine to attempt
the exploit or it used some server side scripting of some sort to
trigger the response. Whatever the trigger the response was a script
that connected to the infected machine by using the command shell the
worm made accessible (cmd.exe) and issue a shutdown. I rather liked
that. :-)
J
|
|
|
|
|