Topic: error_log & access_log - odd entries, being hacked ?!?!

[Patrick Basile]

Hello everyone,

I'm trying to setup SARG on my e-smith 4.1.2 server, and have installed both sarg and the e-smith setup provided in the HOW TO.

As others have (from posts I have seen) I get the '403 forbidden' error when I try to access either http://bcsrv1/supervisor or http://bcsrv1/squid-reports.  Not sure why, any ideas?

BUT, the main reason for my post is that while digging around in the log files under /var/log/httpd I found some weird entries in the 'error_log" file, which I will paste below (sorry for the length):

======================================================
...there's more above, but I didn't want to put too much here
[Fri Oct 12 16:53:47 2001] [error] [client 64.3.182.110] File does not exist: /home/e-smith/files/primary/html
/c/winnt/system32/cmd.exe
[Fri Oct 12 16:53:52 2001] [error] [client 64.3.182.110] File does not exist: /home/e-smith/files/primary/html
/d/winnt/system32/cmd.exe
[Fri Oct 12 16:53:56 2001] [error] [client 64.3.182.110] File does not exist: /home/e-smith/files/primary/html
/scripts/..%5c../winnt/system32/cmd.exe
[Fri Oct 12 16:54:06 2001] [error] [client 64.3.182.110] File does not exist: /home/e-smith/files/primary/html
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Fri Oct 12 16:54:06 2001] [error] [client 64.3.182.110] File does not exist: /home/e-smith/files/primary/html
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Fri Oct 12 16:54:10 2001] [error] [client 64.3.182.110] File does not exist: /home/e-smith/files/primary/html
/msadc/..%5c../..%5c../..%5c/....../....../....../winnt/system32/cmd.exe
[Fri Oct 12 16:54:14 2001] [error] [client 64.3.182.110] File does not exist: /home/e-smith/files/primary/html
/scripts/....../winnt/system32/cmd.exe
[Fri Oct 12 16:54:59 2001] [error] [client 192.168.1.249] Directory index forbidden by rule: /var/www/html/squ
id-reports/
[Fri Oct 12 16:55:08 2001] [error] [client 192.168.1.249] client denied by server configuration: /home/e-smith
/files/ibays/supervisor/html
[Fri Oct 12 16:58:39 2001] [notice] SIGUSR1 received.  Doing graceful restart
[Fri Oct 12 16:58:40 2001] [notice] Apache/1.3.19 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.1 OpenSSL/0.9.5a PHP/4.0
.3pl1 configured -- resuming normal operations
[Fri Oct 12 16:58:40 2001] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Fri Oct 12 17:02:20 2001] [notice] SIGUSR1 received.  Doing graceful restart
[Fri Oct 12 17:02:20 2001] [notice] Apache/1.3.19 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.1 OpenSSL/0.9.5a PHP/4.0
.3pl1 configured -- resuming normal operations
[Fri Oct 12 17:02:20 2001] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Fri Oct 12 17:02:54 2001] [error] [client 64.24.60.119] File does not exist: /home/e-smith/files/primary/html
/scripts/root.exe
[Fri Oct 12 17:03:03 2001] [error] [client 64.24.60.119] File does not exist: /home/e-smith/files/primary/html
/MSADC/root.exe
[Fri Oct 12 17:03:32 2001] [error] [client 192.168.1.249] Directory index forbidden by rule: /var/www/html/squ
id-reports/
[Fri Oct 12 17:04:04 2001] [error] [client 192.168.1.249] File does not exist: /home/e-smith/files/primary/htm
l/favicon.ico
[Fri Oct 12 17:07:10 2001] [error] [client 192.168.1.249] client denied by server configuration: /home/e-smith
/files/ibays/supervisor/html
==========================================================

I'm curious about the errors from [client 64.3.182.110], does anyone know what is going on here?  Is this normal?  That is an external IP from the Internet, so is this a hack attempt?

I have also included a portion of the access_log file as well for your review below:

===========================================================
File: access_log        Col 0              1854827 bytes                                                   98%
www.bridgesatbentcreek.com 64.3.182.110 - - [12/Oct/2001:16:53:46 -0400] "GET /MSADC/root.exe?/c+dir HTTP/1.0"
 404 208 "-" "-"
www.bridgesatbentcreek.com 64.3.182.110 - - [12/Oct/2001:16:53:47 -0400] "GET /c/winnt/system32/cmd.exe?/c+dir
 HTTP/1.0" 404 218 "-" "-"
www.bridgesatbentcreek.com 64.3.182.110 - - [12/Oct/2001:16:53:52 -0400] "GET /d/winnt/system32/cmd.exe?/c+dir
 HTTP/1.0" 404 218 "-" "-"
www.bridgesatbentcreek.com 64.3.182.110 - - [12/Oct/2001:16:53:56 -0400] "GET /scripts/..%255c../winnt/system3
2/cmd.exe?/c+dir HTTP/1.0" 404 232 "-" "-"
www.bridgesatbentcreek.com 64.3.182.110 - - [12/Oct/2001:16:54:06 -0400] "GET /_vti_bin/..%255c../..%255c../..
%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249 "-" "-"
www.bridgesatbentcreek.com 64.3.182.110 - - [12/Oct/2001:16:54:06 -0400] "GET /_mem_bin/..%255c../..%255c../..
%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249 "-" "-"
www.bridgesatbentcreek.com 64.3.182.110 - - [12/Oct/2001:16:54:10 -0400] "GET /msadc/..%255c../..%255c../..%25
5c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 265 "-" "-"
www.bridgesatbentcreek.com 64.3.182.110 - - [12/Oct/2001:16:54:14 -0400] "GET /scripts/..%c1%1c../winnt/system
32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-"
www.bridgesatbentcreek.com 64.3.182.110 - - [12/Oct/2001:16:54:16 -0400] "GET /scripts/..%c0%2f../winnt/system
32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-"
==========================================================

Can anyone help me with this?  Thanks.

Regards,
Patrick

[Chaloner Hale]

Looks like the Nimda Worm to me... Certainly "system32/cmd.exe?/c+dir" this is highly likely.

Does not mean you are infected, just that they are trying to get in...

[Luke Drumm]

...one might add with very little luck. It's funny how IIS/NT based attacks just don't really seem to do the job when you're running Apache/Linux.

[Patrick Basile]

Luke/Chaloner,

Thank you for responding to my post so quickly!  So - based on what you see in these logs my server is being attacked by the Nimda worm?  Is there a way to make sure that my server has not been compromised?

Should I be doing anything to my server to make sure it remains secure from this Nimda worm and other nasty little bugs...or is the e-smith 4.1.2 security configuration solid enough that I can leave it alone?

Sure wish these virus/worm creators would spend their time doing something good for society instead of wasting our time having to worry about all these bugs!

Thanks again...

Regards,
Patrick

[Dan Brown]

Yes, there's a very easy way to be sure your server hasn't been compromised by Nimda--make sure it isn't running IIS.  That's it.

[Patrick Basile]

Dan,

I forgot that Nimda only goes after IIS web servers...hehehe, sorry. .  Of course I'm happy to hear that my e-smith server (running Apache!) will avoid the trouble.

I noticed that on your site, Dan (http://familybrown.org) that you have a neat little reporting page (http://familybrown.org/apache-hits.php) that shows the Code Red/Nimda work hits.  Is this easy to setup?  And how is it done?  I'd love to set this type of reporting up on my server to be able to see how many times my server is hit.

Thanks a lot!

Regards,
Patrick

[Dan Brown]

The reporting page is one I grabbed from Darrell at myezserver.com, but you can see the source at http://familybrown.org/apache-hits.phps.