I was going through my error_log trying to check for something other than what I saw in there. In the error log it looked like there were IP's looking for cmd.exe in many different directories. Could you look at my error_log and tell me if I am going crazy or just don't know how to read my error log... or am I right?!
http://12.248.158.48/error_log

Thanks,

Adam

Congratulations! You my friend have just been hit by the nimda virus ;)

Hehe, actually no need to worry, it won't do anything to your system. But that explains the weird logs. For more info, do a search on google with one line of your log.

When I get hit like that I nslookup the IP, find out which ISP they belong to then contact them to let them know. If people havent fixed their crappy NT and 2k servers yet to rid or prevent themselves from spreading nimda they should be temp. disced until they do so.

one of the addresses is
12-248-28-87.client.attbi.com which is ATT worldnet
Organization:
AT&T Corp.
Corporate Administrator
295 North Maple Avenue RM:3252G1
Basking Ridge, NJ 07920
US
Phone: 908-221-5578
Email: abuse@attbi.com

Registrar Name....: Register.com
Registrar Whois...: whois.register.com
Registrar Homepage: http://www.register.com

Domain Name: ATTBI.COM

Created on..............: Tue, Oct 02, 2001
Expires on..............: Sat, Oct 02, 2004
Record last updated on..: Fri, Feb 08, 2002

Administrative Contact:
AT&T Corp
Legal Demands Center
183 Inverness Drive West
Englewood, CO 80112
US
Phone: 800-871-6298
Fax..: 720-267-2794
Email: abuse@ATTBI.COM

Technical Contact, Zone Contact:
AT&T Corp.
William Holland
8372 E. Broad Street
Reynoldsburg, OH 43068
US
Phone: 614-501-2720
Fax..: 614-501-2702
Email: william.h.holland@att.com

Domain servers in listed order:

NS1.ATTBI.COM 204.127.198.4
NS2.ATTBI.COM 216.148.227.68

Sorry for all the info but I dont put up with that kinda crap, id be all over their asses.
After looking at that log hell every address on that ATT network is trying to spread it, looks like ATT needs to do something about their customers access until they correct it. Im assuming this is dialup too which is prolly consuming alot of folks precious 56k's of bandwidth.

[ 26 March 2002: Message edited by: chikn ]

Actually it is the broadband part of AT&T. Well as long as I am running linux (Apache) and not IIS I am set! I was wondering why the lights on my cable modem are always so busy! I just set this box up not too long ago, but the lights have been flashing like that for awhile now!

I get constant probes looking for typical IIS holes. Get used to it..

Here's a quick list of hits per day since 3/11. Some days nothing, others is non-stop.


Hits Day
651 16
629 11
445 19
371 22
343 18
333 17
280 12
113 23
112 26
56 25
56 20
28 14
26 21
15 13
14 15


Its also interesting to see how many bad hits per IP. I have one IP who hit me 420 times from 3/11-3/12. Some dufus probably probing everyone in the /16 netmask. All of the hits except for 2 or 3 are from the same IP block.

-r

A friend of mine showed me this script.
It display how many times a host has attacked you.

#!/usr/bin/perl
#
# find_worm_ips.pl - A Perl script to parse Apache combined log files and
# find the IP numbers of servers that are hammering your
# Apache server because the admins of those servers are
# running unpatched versions of Microsoft IIS that are
# infected with the Code Red worm or the Nimda worm.
#
# Written by Earl C. Ruby III (eruby@knowledgematters.net)
#
# Version 0.01 - 19-SEP-2001 - Initial release
# Version 0.02 - 19-SEP-2001 - Fixed a serious bug! Script actually works now.
#
# The latest version of this script can be found at http://www.knowledgematters.net
#
# If you have additions or changes you'd like to see added, send them to
# find_worm_ips@knowledgematters.net
#
# Distributed under the terms of the GPL. Not copyrighted.

use Date::Manip;


# If your Apache log files are in another location you will have to
# change the following variable.
#my $apache_log_files = '/usr/local/apache/logs/*access_log*';
my $apache_log_files = '/var/log/httpd/access_log';

# If your Apache log files use a different log file format, you
# will have to change the following two numbers.
my $ip_pstn = 0; # IP number is the first thing in the log file
my $date_pstn = 3; # Date is the third thing in the log file


$DEBUG = 1;

my @files = glob($apache_log_files);

foreach my $file (@files) {

print "Checking: $file\n" if $DEBUG;

open(LOGFILE, "<$file");

while (<LOGFILE> ) {
chomp;

# Grab the HTTP command from the log file
my $command = (split('"'))[1];

# Grab the IP number of the system issuing the command and the date
my @line = split(/\s+/, $_);
my $ip = $line[$ip_pstn];
my $date = $line[$date_pstn] . ' ' . $line[$date_pstn+1];

# See if the command matches any of the worm's known exploits
if (($command eq 'GET /MSADC/root.exe?/c+dir HTTP/1.0') ||
($command eq 'GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0') ||
($command eq 'GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0') ||
($command eq 'GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0') ||
($command eq 'GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0') ||
($command eq 'GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u0 0c3%u0003%u8b00%u531b%u53ff%u0 078%u0000%u00=a HTTP/1.0') ||
($command eq 'GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0') ||
($command eq 'GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0') ||
($command eq 'GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0') ||
($command eq 'GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0') ||
($command eq 'GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0') ||
($command eq 'GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0') ||
($command eq 'GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0') ||
($command eq 'GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0') ||
($command eq 'GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0') ||
($command eq 'GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0') ||
($command eq 'GET /scripts/root.exe?/c+dir HTTP/1.0')) {

# Found another infected IIS system
$date =~ s/\[//;
$date =~ s/\]//;
$infected{$ip} = $date;
$attacks{$ip}++;
}


}
close LOGFILE;
}

# Print out the list of infected servers
my $cdate = &DateCalc("today", "- 3 days");
foreach my $ip (sort keys %infected) {

# Assume that any attacks over three days ago have been patched and fixed.
my $idate = &ParseDate($infected{$ip});
if (&Date_Cmp($idate, $cdate) == 1) {
print "$ip\t Total attacks by this system: $attacks{$ip} \tLast attack: $infected{$ip}\n";
}
}

Interesting script, although I'm was too lazy to type all those X's. :D

Here's mine for whatever its worth...

(didn't bother with the date .. If you process multiple logs it'll only pick up the last entry .. not date)


#!/usr/bin/perl

while(<STDIN> )
{
chomp;

if(/(cmd|root)\.exe|default\.ida/)
{
($ip,undef,$date) = /^((\d{1,3}\.){3}\d{1,3}).+\[(.*)\]/;

$data{$ip}{COUNT}++;
$data{$ip}{LAST} = $date;
}
}

foreach $x (sort {$data{$b}{COUNT} <=> $data{$a}{COUNT} } keys %data)
{
print "IP: $x\tAttacks: $data{$x}{COUNT}, Last: $data{$x}{LAST}\n";
}


Not quite as user friendly as the above -- just pipe the logs to it. (assuming all logs are in combined format..

eg:

cat /var/log/httpd-access*.log | perl foo.pl

zcat /var/log/httpd-access.*.gz |perl foo.pl

.... you get it.

-r

[ 28 March 2002: Message edited by: iDxMan ]