Very ODD Apache access log

rodericj · Posted: Fri Dec 10, 2004 8:54 pm Post subject: Very ODD Apache access log

Hey check this out.

http://www.cs.rit.edu/~rmc8917/apacheoutput.txt

This is the 'tail -n 30' of my apache access log. There is some really strange stuff going on there. I moved my old access file to something like access_log.old and created a new one. Since then, I have been having some very odd outputs.

The output is so odd that when I copy pasted it into this box, it crashed windows in a way I have never seen it. (Yeah that makes you want to view the file). Its like all of those searches with the \'s in em messed something up.

Another thing that throws me off. Take a look at the IP addresses. It seems that there is a 192.168.1.109. I do no think that I do not have a 109 in my network.

Anybody know what I am seeing here?

p.s. I have since stopped my apache process for fear of some hacking.

neilhwatson · l33t Joined: 06 Feb 2003 Posts: 719 Location: Canada

Those are Windows worms (e.g. Nimda). Use http://www.symantec.com/avcenter/ to search for some of those strings.
_________________
The true guru is a teacher.
Neil Watson

hanj · Veteran Joined: 19 Aug 2003 Posts: 1500

Those are standard windows script exploits... cmd.exe, etc. The SEARCH stuff is for IIS WebDav exploit. I think you're in the clear.

Hope this helps
hanji

rodericj · Posted: Fri Dec 10, 2004 9:29 pm Post subject:

I am alright as in I am immune because cmd.exe is nothing on gentoo? Or I am alright as in these are more or less harmless?

I just don't want them craping up my log files.

hanj · Veteran Joined: 19 Aug 2003 Posts: 1500

You are alright.. in the sense that these exploit attempts will not harm your gentoo box. IIS and Windows only.

These will 'crap' up your log files. If it is a consistent IP, you can try dropping traffic from the source via iptables, etc. Also are you rotating your apache logs via logrotate?

hanji

rodericj · Posted: Sat Dec 11, 2004 8:40 pm Post subject:

Negative on the logrotate. I have never heard of it. I was just copying the file.

Bad idea?

I am emerging it now. It seems to just make it easier and more organized. Not so much that it will keep you from blowing up.

hanj · Veteran Joined: 19 Aug 2003 Posts: 1500

Here is my sample apache script in /etc/logrotate.d/. It's nice cause it will rotate logs.. deleting the last one. You can set how often it rotates, and how much history you want to store before deleting, etc

rodericj · Posted: Sun Dec 12, 2004 4:45 pm Post subject:

I would like it to not delete after rotates. How do I do that? I assume just take out the rotate 5.

I will wait for your response till I change anything.

Thanks though for the input.

golloza · Guru Joined: 14 Mar 2004 Posts: 427

teknomage1 · Posted: Mon Dec 13, 2004 1:20 am Post subject:

You should also contact the owner of that block of IP addresses and inform them that their system(s) are infected.

rex123 · Apprentice Joined: 21 Apr 2004 Posts: 272

neilhwatson · l33t Joined: 06 Feb 2003 Posts: 719 Location: Canada

You should be protecting yourself from spoof attacks. Interfaces pointed to the Internet should not accept connections from private IP ranges.
_________________
The true guru is a teacher.
Neil Watson

rodericj · Posted: Mon Dec 13, 2004 7:06 pm Post subject:

teknomage1 · Posted: Tue Dec 14, 2004 3:22 am Post subject:

A number of the worm attempts seemed to be coming from IP ranges owned by broadband providers, those were the ones I think should be reported. Since you have an address and a time presumably the ISP has a record of who that is and can inform them to fix it.

Aurisor · Guru Joined: 20 Sep 2003 Posts: 361 Location: Boston MA

Most of those worms open root holes on the infected machines...you could always take the liberty of disabling them yourself >