It appears that somebody is scanning to execute some sort of windows-executable code on my new non-public linux/apache web server. I have seen these attacks from various sources on the internet. Found out today that these have been going on since I brought the server up. These attacks are probably scanning a whole range of addresses looking for vulnerable (windows) web servers. I plan to report it to the ISP owning of the source address. Any other ideas what I should do to log/block these attacks? Apparently there is fairly decent security on apache by default, but I could use some basic guidelines on the server security.

From the error_log:

[Tue Oct 9 11:05:38 2001] [error] [client 4.43.212.20] File does not exist: /var/www/html/scripts/..À¯../winnt/system32/cmd.exe
[Tue Oct 9 11:05:38 2001] [error] [client 4.43.212.20] File does not exist: /var/www/html/scripts/..Á../winnt/system32/cmd.exe :eek:

Set up a script that executes when you're scanned. It sends back a flood of aol.exe files.

If you search this site, I think there is directions on how to do this.

I might be mistaken but I think it is the NIMDA worm. These attacks probably come from infected computers and the people who own them are most likely innocent and have no idea that the worm is using their computer to attack web servers. I do not think you should report them to their Isp’s who might misinterpret the situation and throw them out.

Furthermore, if you are running apache you are not affected by the worm and therefore have nothing to worry about.

For further information: http://www.cert.org/advisories/CA-2001-26.html

I hope this helps you.

It could be any of the Nimda/CodeRed or MSADC worm/exploits.

Unless you're running IIS, I don't think you have to worry.

Originally posted by Notfromkansas:
<STRONG>I might be mistaken but I think it is the NIMDA worm. These attacks probably come from infected computers and the people who own them are most likely innocent and have no idea that the worm is using their computer to attack web servers.</STRONG>


Change "innocent" to "ignorant" and I think you have it. ;)

So, I guess its "Welcome to the world of web service. Don't be surprised if you these hits all the time" :) Thanks to all for your responses.

It wont affect you system but it will f up you bandwith, I was hit on my sun box and it damn near filled up my var file.

Any if you are on a volume based type of connections you would be paying for the extra traffic.

Add this to your httpd.conf:

SetEnvIf Request_URI "/*cmd\.exe$" dontlog
SetEnvIf Request_URI "/*default\.ida$" dontlog
SetEnvIf Request_URI "/*root\.exe$" dontlog

Then, when you define your log files, add env=!dontlog to them. For example:

CustomLog logs/full.log full env=!dontlog

The requests will not longer show up in your main log file. They'll still show up in your error log (I don't know of a way to exclude them from there), but your main log file will be clean.