while i was checking my apache access log i found this

66.214.64.63 - - [23/May/2004:03:26:33 -0700] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1 \x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x 02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1 \x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\

its long so i only paste a short snippet
after that i found this one.

32.101.14.49 - - [23/May/2004:04:44:26 -0700] "get /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af.. %c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir" 501 - "-" "-"

ya i know someone is trying to crash my server. very nice.

what exploit / hack are they trying to get out of this?

Try G4L (http://www.gooogle.com/linux) I know it pops up there quite a few times.

hmm, well i don't have the beginning part, but my Windows server also gets hit by the same type of NT scripts or something. They're never hit, though. I heard once that it may possibly be a worm or something that just attacks those things constantly. I get them all the time too, never any harm done.

Code Red?

G4L search results for '/winnt/system32/cmd.exe virus' (http://www.google.com/linux?hl=en&lr=&ie=UTF-8&q=%2Fwinnt%2Fsystem32%2Fcmd.exe+virus&btnG=Google+Search). That wasn't too hard at all. :p

Ya that's Code Red or one of the 12 dozen variants

Apache/Linux servers are safe from this attack, all it does is use bandwidth and fill the logs

you know whats amusing, i run a Windows server, and get the same thing from my logs, and yet i don't have any problems with it at all.

What a waste of time, writing viruses, especially ones like that, SHEESH.

Originally posted by DSwain
you know whats amusing, i run a Windows server, and get the same thing from my logs, and yet i don't have any problems with it at all. Then you're one of the smart people that has patched their version of IIS against this particular worm. Good job; and oh, by the way, good luck on the next one. ;)

Originally posted by reiign
while i was checking my apache access log i found this

66.214.64.63 - - [23/May/2004:03:26:33 -0700] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1 \x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x 02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\x b1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1 \x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\

its long so i only paste a short snippet
after that i found this one.

32.101.14.49 - - [23/May/2004:04:44:26 -0700] "get /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af.. %c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir" 501 - "-" "-"

ya i know someone is trying to crash my server. very nice.

what exploit / hack are they trying to get out of this?


BLACKLIST=(66.214.64.63 32.101.14.49)

for i in ${BLACKLIST[@]}; do
iptables -A INPUT -s $i -j DROP
done


do that and then don't care what worm they have ;p

Then you're one of the smart people that has patched their version of IIS against this particular worm. Good job; and oh, by the way, good luck on the next one.

hmm, actually I don't use IIS, I used an open source java httpd/ftpd called Xerver, and SETI@Home also. But yes, I constantly have all the updates installed, generally checking every week. I'm even running SP2 RC1 (i think its RC1, maybe the beta?) just for the firewall and stuff. Better safe than sorry. Now, if only admins who ran actual important networks could do that we'd all be really set.

Originally posted by maccorin

BLACKLIST=(66.214.64.63 32.101.14.49)

for i in ${BLACKLIST[@]}; do
iptables -A INPUT -s $i -j DROP
done


do that and then don't care what worm they have ;p

Yeah, I tried that once.

Apparently the Comcast subnet I'm on was, at one point, INFESTED with nimda, code red, and some other nasties. I was getting a lot of log hits like that. The sheer number of different IPs that were hitting me caused me just to use one blanket DENY rule, and only allow access to my webserver to hosts that I explicitly add.

This setup became quickly inconvenient, however, because more and more I was accessing my server from many locations that have dynamic IPs. If I wanted to block by subnet masking, that would defeat the purpose of even trying to setup firewall rules to block this stuff.