Hey all,

I've just started looking through my error_log file for Apache and there are a bunch of entries that are sort of interesting. There are a series of entries from various different IP addresses that seem to be looking for files on a windows server in directories named winnt, and system32, and they're looking for files like root.exe and cmd.exe. My first reaction is that someone is trying to find files with bugs to hack the server. There also seem to be many lines with arbitrarily long urls with plenty of escape characters. Can you guys take a look at one of my log files and let me know what you think is going on? I've attached the file to this post, it's the first file generated since I setup my server not the most recent.
Note: none of the IP addresses in the log belong to any part of my network except for maybe the nameservers. (only one ip address)

Joe

[Thu Mar 6 18:10:38 2003] [error] [client 24.91.114.157] File does not exist: /var/www/html/scripts/..Áœ../winnt/system32/cmd.exe

That's called Nimda and Code Red ;)
Yes, they are still around...

Originally posted by Magueta
I've just started looking through my error_log file for Apache and there are a bunch of entries that are sort of interesting. There are a series of entries from various different IP addresses that seem to be looking for files on a windows server in directories named winnt, and system32, and they're looking for files like root.exe and cmd.exe. My first reaction is that someone is trying to find files with bugs to hack the server.

Your first reaction is half right, it's not a someone it's IIS worms looking to root another unpatched IIS server coming from infected IIS servers.

Originally posted by Magueta
There also seem to be many lines with arbitrarily long urls with plenty of escape characters.


If it's a script of some type (php, cgi, etc...) this sounds like someone (or a script) is trying to execute some code by exploiting poorly written scripts.

The long URLs could be an IIS webDEV exploit.

Sorry I didn't read your error log yet, but I've seen mine plenty of times.

Couple of things, is there any way to notify them that they have this thing, and is it safe to say that they're all running Windows boxes? I've done port scans on a few of them and they all have the standard Samba ports (137 - 139) including the recently exploited 445 open. I thought it might be Samba initially but because of what the worm is doing I thought it might be pretty much for windows boxes only. The webpages that appear when I try to visit the sites of ips with port 80 open is not the default for Samba so I presume that they're running IIS.

Joe

Originally posted by stiles
If it's a script of some type (php, cgi, etc...) this sounds like someone (or a script) is trying to execute some code by exploiting poorly written scripts.


The thing is that it isn't coming from just one machine, it's coming from lots of machines. In one of my log files I counted 21 different machines going through the same sequence of checks.


The long URLs could be an IIS webDEV exploit.


That's what I was thinking.

Joe

samba is a windows fileserver work-a-like so yes you would expect thoes ports on a windows server that has filesharing on (or at least the listener(s) up for filesharing).

You could try dig, whois to find out who their ISP is and complain to them. If you're lucky they'll threaten to disconnect them if they don't fix it.
Usual address is abuse@<ispname>.com