|
Home > Archive > Web Servers on Windows > June 2004 > strange things in Access Log -- apache 2.0.49 on XP Pro
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
strange things in Access Log -- apache 2.0.49 on XP Pro
|
|
| TheKeith 2004-06-11, 6:52 pm |
| I'm new to running a web server. I just set up the latest version of
apache on a Windows XP pro sp1 machine the other day with all the latest
updates. I noticed just today two strange entries in the access log:
172.128.168.185 - - [02/Jun/2004:17:13:25 -0400] "GET
/default.ida? XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucb
d3
%u7801%u9090%u6858%ucbd3%u7801%u9090%u68
58%ucbd3%u7801%u9090%u9090%u8190%u00c3%u
0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 404 301
and
24.9.183.40 - - [04/Jun/2004:14:32:14 -0400] "get
/scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir"
501 360
I'm in new york, so these are obviously hackers or something--I haven't
even told anyone about this web server. One of them seems to have
accessed the command prompt--not sure what they did with it? I just
checked the two computers on my local network for viruses with avg and
it found none. What else might I look for or should I not even worry
about it? I've since disabled port 80 forwarding on my router because
this made me a bit nervous.
Help would be appreciated--thanks.
| |
| Thor Kottelin 2004-06-11, 6:52 pm |
|
TheKeith wrote:
> I noticed just today two strange entries in the access log:
>
> 172.128.168.185 - - [02/Jun/2004:17:13:25 -0400] "GET
> /default.ida? XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucb
d3%u7801%u9090%u6858%ucbd3%u7801%u9090%u
6858%ucbd3%u7801%u9090%u9090%u8190%u00c3
%u0003%u8b00%u531b%u53ff%u0078%u0000%u00
=a
> HTTP/1.0" 404 301
>
> and
>
> 24.9.183.40 - - [04/Jun/2004:14:32:14 -0400] "get
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir"
> 501 360
>
> I'm in new york, so these are obviously hackers or something--I haven't
> even told anyone about this web server. One of them seems to have
> accessed the command prompt--not sure what they did with it? I just
> checked the two computers on my local network for viruses with avg and
> it found none. What else might I look for or should I not even worry
> about it? I've since disabled port 80 forwarding on my router because
> this made me a bit nervous.
At a glance, those look like the normal intrusion attempts that will be
tried on any publicly accessible web server. Try a Google search for those
requests.
Apache is a much better choice than IIS, but remember to always keep your
software patched nevertheless.
Thor
--
http://www.anta.net/ IRCnet #areena
| |
|
| On 06 Jun 2004, TheKeith <no@spam.com> wrote in
news:ft2dnaXE0NPoX1_dRVn-uQ@giganews.com:
> I'm new to running a web server. I just set up the latest version
> of apache on a Windows XP pro sp1 machine the other day with all
> the latest updates. I noticed just today two strange entries in
> the access log:
Your server is being probed by another computer in the internet who is
infected by a worm, probably Code Red or a more recent varient. Check
out the Symantec or Macafee site for more info. It's not dangerous to
you if you don't run IIS, it mostly just makes your logs messy.
| |
| TheKeith 2004-06-11, 6:52 pm |
| Nil wrote:
> On 06 Jun 2004, TheKeith <no@spam.com> wrote in
> news:ft2dnaXE0NPoX1_dRVn-uQ@giganews.com:
>
>
>
>
> Your server is being probed by another computer in the internet who is
> infected by a worm, probably Code Red or a more recent varient. Check
> out the Symantec or Macafee site for more info. It's not dangerous to
> you if you don't run IIS, it mostly just makes your logs messy.
>
much appreciated--thanks. I was afraid someone accessed my other
computer which has some files on it. The one with the server is pretty
bare--I use it as a print server and also to test out php scripts I'm
writing.
At one point last week when I was trying out different servers, I had
been running IIS, but it just seemed like apache was nicer to use and
from what I've read, safer. I just checked the IIS log form last week
and saw similar hits, as well as this one:
22:45:25 68.40.160.245 SEARCH / ��������������������
��������������������
��������������������
��������������������
��������������������
������������
��������������������
��������������������
��������������������
��������������������
��������������������
��������������������
�������
��������������������
��������������������
��������������������
��������������������
��������������������
��������������������
��������
��������������������
��������������������
��������������������
��������������������
��������������������
������������
��������������������
��������������������
��������������������
��������������������
��������������������
��������������������
�������
��������������������
��������������������
��������������������
��������������������
��������������������
��������������������
��������
��������������������
��������������������
��������������������
��������������������
��������������������
��������������������
�������
��������������������
��������������������
��������������������
��������������������
��������������������
�������������
��������������������
��������������������
��������������������
��������������������
��������������������
�
404
I should also point out, that last week when IIS had those erronious
hits, I had my root directory set to a folder on another computer on the
network instead of the host system. I'm now doing that with apache too
(for which I had to change the services settings, by having apache log
on to a regular account instead of the default system account which
seemingly has no network access), but wasn't at the time of those
erronious hits on the apache log.
Do you think that accessing a remote root directory is a bad idea?
Actually I'll just post a new message about this topic.
Anyway, like I said yesterday, I ran the avg antivirus app with all the
latest updates, on both the computers on my network and it found
nothing. Does this mean that nothing was done? What exactly does the
"nimbda worm" do?
thanks again guys for your help.
| |
|
| On 06 Jun 2004, TheKeith <no@spam.com> wrote in
news:scSdnSTAXKLIz17dRVn-sQ@giganews.com:
> Anyway, like I said yesterday, I ran the avg antivirus app with
> all the latest updates, on both the computers on my network and it
> found nothing. Does this mean that nothing was done?
Probably you're OK.
> What exactly does the "nimbda worm" do?
Look it up at the Mcafee or Symantec or other anti-virus vendor's site,
or search Google or Yahoo. The info is all out there for you.
|
|
|
|
|