PDA

Click to See Complete Forum and Search --> : apache logs what does this all mean??

ultimate_newbie
09-25-2002, 04:05 AM
Hi,

I've just got Apache up and running a few days ago and was very happy. I then checked out the access_log and error_log and notice a ton of GET requests from IP addresses I've never seen for:

/winnt/system32/cmd.exe?
/MSADC/root.exe?
/scripts/roos.exe?

What does all this mean? Should I be worried? Is this a virus or someone hacking thinking its IIS running?Any answers would be greatly appreciated, thanks.
nomo_green
09-25-2002, 11:04 AM
it is an attempted attack, since those files don't exist, you're ok. probably nimda, coming from another infected nimda machine.

some info here:

http://www.securityspace.com/smysecure/w32_nmda_amm.html

i read this from another post somewhere:

Yes, it is a nimda intrusion attempt alright, originating from another nimda-compromised system.

Being in the security response team, my group have to deal with tons of such logs to pinpoint the nimda-compromised systems.

To aid incident response, what I did was to write CGI scripts called root.exe and cmd.exe. Within the script, the originating source IP is identified. If it is a company IP address, the script performs a check of the MAC address and the registered owner of the MAC address. If it is an external IP address, the script performs a check with the ARIN database lookup for the domain owner. Subsequently, the script sends an automated email indicating a suspected nimda-compromised system to the owner or domain owner.

That saves us the huge administration overhead in incident response considering the number of nimda occurrences.

For protection, if you are a firewall administrator, you can protect your servers by performing layer-7 application-layer filtering on HTTP packets by blocking all accesses to any URLs containing cmd.exe and root.exe. That blocks nimda on the HTTP level. Note that nimda worm traverses through writeable shared folders over netbios as well. For Codered, filter out all HTTP packets containing default.ida or default.idq in its payload. Other signatures to filter include readme.exe, readme.eml and admin.dll etc. You can add to the list as your know of new signatures.

pat yourself on the back for detecting it. if more people would check their logs and actually analyze them, these attacks wouldn't be able to spread so easily.
macster465
09-25-2002, 07:32 PM
Haha...I get those all the time too...