[H-GEN] weird web server logs

Sat Feb 22 19:59:30 EST 2003

[ Humbug *General* list - semi-serious discussions about Humbug and     ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]

I have been browsing though some apache logs, and came across some
interesting entries that show what are obviously remote web server
exploit attempts.

I'm wondering if anyone here knows exactly what these are (worms?
nimda, code red?).

First exploit
-------------

==> /var/log/httpd/access_log <==
218.16.112.106 - - [22/Feb/2003:18:14:59 +1000] "\x04\x01" 501 -
==> /var/log/httpd/error_log <==
[Sat Feb 22 18:14:59 2003] [error] [client 218.16.112.106] Invalid method in request \x04\x01

==> /var/log/httpd/access_log <==
218.16.112.106 - - [22/Feb/2003:18:15:10 +1000] "\x05\x01" 501 -
218.16.112.106 - - [22/Feb/2003:18:15:10 +1000] "CONNECT 207.46.181.13:25 HTTP/1.1" 405 313
==> /var/log/httpd/error_log <==
[Sat Feb 22 18:15:10 2003] [error] [client 218.16.112.106] Invalid method in request \x05\x01

All over in 10 seconds.  The source IP doesn't resolve.

Essentially this is a spammer open relay attempt, used like this to
hide its true origin.

  (I've seen this sort of exploit used with web proxy servers that
  have poor ACLs to prevent CONNECT from unauthorised sources... in
  this case the target server happens to be smtp-gw-4.msn.com).

It's interesting to see this attempt to use the web server as a
proxy...  perhaps this exploit is looking for proxy servers
listening on port 80?  Or is CONNECT a valid http method?

Second exploit
--------------

This is an obvious "root-access" attempt to exploit problems with
vulnerable versions of m$-IIS.

The full first and last log of an event is recorded here to
illustrate the total time (10 seconds).  Below that is a summary of
the "file not found" errors.  This can happen several times/day,
from different IPs, and like this one the src IP does not resolve.

==> /var/log/httpd/error_log <==
[Mon Feb 17 05:35:55 2003] [error] [client 203.250.76.140]
  File does not exist: /var/www/html/scripts/root.exe
...
[Mon Feb 17 05:36:05 2003] [error] [client 203.250.76.140]
  File does not exist: /var/www/html/scripts/..%2f../winnt/system32/cmd.exe

  File does not exist:
    /var/www/html/scripts/root.exe
    /var/www/html/MSADC/root.exe
    /var/www/html/d/winnt/system32/cmd.exe
    /var/www/html/scripts/..%5c../winnt/system32/cmd.exe
    /var/www/html/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
    /var/www/html/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
    /var/www/html/msadc/..%5c../..%5c../..%5c/..Á^\../..Á^\../..Á^\../winnt/system32/cmd.exe
    /var/www/html/scripts/..Á^\../winnt/system32/cmd.exe
    /var/www/html/scripts/..À¯../winnt/system32/cmd.exe
    /var/www/html/scripts/..Á<9C>../winnt/system32/cmd.exe
    /var/www/html/scripts/..%5c../winnt/system32/cmd.exe
    /var/www/html/scripts/..%2f../winnt/system32/cmd.exe

I'd really like to have web server outright refuse to respond to
these sorts of queries... is possible to get apache to automatically
block (or ignore) IPs that do this - especially not to respond with
any error message (ie, ignore the request)?

Cheers
Tony

--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.  See http://www.humbug.org.au/