Topic: windows hack attempts?

[Kirk Ferguson]

I have some strange entries in the httpd_error log.  Has anyone else seen entires like these in their logs?  I get them from multiple ip's daily.  
I'm curious as to whether others have seen these type of messages, and whether they are indeed attempt to hack in.

Here is a sample:

[Tue Jan 21 13:48:32 2003] [error] [client 12.147.21.21] File does not exist: /home/e-smith/files/primary/html/scripts/root.exe
[Tue Jan 21 13:48:35 2003] [error] [client 12.147.21.21] File does not exist: /home/e-smith/files/primary/html/scripts/..%5c../winnt/system32/cmd.exe
[Tue Jan 21 13:48:37 2003] [error] [client 12.147.21.21] File does not exist: /home/e-smith/files/primary/html/scripts/..Á../winnt/system32/cmd.exe
[Tue Jan 21 13:48:37 2003] [error] [client 12.147.21.21] File does not exist: /home/e-smith/files/primary/html/scripts/..À¯../winnt/system32/cmd.exe
[Tue Jan 21 13:48:38 2003] [error] [client 12.147.21.21] File does not exist: /home/e-smith/files/primary/html/scripts/..Áœ../winnt/system32/cmd.exe
[Tue Jan 21 13:48:40 2003] [error] [client 12.147.21.21] File does not exist: /home/e-smith/files/primary/html/scripts/..%5c../winnt/system32/cmd.exe
[Tue Jan 21 13:48:40 2003] [error] [client 12.147.21.21] File does not exist: /home/e-smith/files/primary/html/scripts/..%2f../winnt/system32/cmd.exe
[Tue Jan 21 15:04:26 2003] [error] [client 12.147.21.21] File does not exist: /home/e-smith/files/primary/html/scripts/root.exe

and on and on...
--------------------------
Kirk

[Thomas Kristensen]

These entries are footprints left by the Nimda virus trying to gain access to a commandline session on your server. Good thing it's not a Windows machine  

BTW, you can ignore these hits, they are annoying but they do no harm and until virus scanners become mandatory for computer owners I guess we just have to live with it

Hope this helps,
Thomas Kristensen

[tkerns]

I see these also but from external IP addresses.... is this from someone  just looking at my web pages  that has an infectted computer, or is  this an attack by someone trying to gain access? Thanks

[Bill Talcott]

http://myezserver.com/downloads/mitel/contrib/apache-hits/ is a PHP script that will show these attempts on a webpage. See http://www.chrouch.com/worms/ for an example.

[Greg Zartman]

I've gotten those log messages ever since code red hit the streets.  Nothing to worry about.

Greg Zartman

[Michael Maggard]

tkerns wrote:
>
> I see these also but from external IP addresses.... is this
> from someone  just looking at my web pages  that has an
> infectted computer, or is  this an attack by someone trying
> to gain access? Thanks

These are mindless automated attempts by already-infected Windows boxes trying to infect your server. As you're running Linux and not Windows and your box is presumably otherwise well secured you've nothing to worry about.

These attempts not directed specifically at you or your server(s), they're generally not heavy enough to cause any network traffic or server load issues, these days they're just constant background noise.

If these attacks were to come from a machine within your network you should track it down and clean it up. For outside machines if you're motivated you can track down their owner or contact their ISP but frankly most of us have given up and assume these folks will come to their own bad ends, deserving or not.

In the meantime I'll point out you can find out everything about these by simply entering them as search keys in Google or whatever you like for a search engine. Indeed this is good strategy for many otherwise mysterious log entries where nearly always someone else has already asked the same question and gotten a comprehensive answer.

Nimda, Code Red, et all are not new and are widely and very well documented.

[Ray Mitchell]

Bill
I downloaded & expanded the file. What do I do with/where do I put the apache-hits.php file ??
Thanks in advance
Ray Mitchell

[Graeme Fleming]

You could load the Snort/Acid IDS on the server and check out the more detailed info available via this interface.  Allows you to do some basic analysis/tracking if you want.