httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "J. Greenlees" <ja...@shaw.ca>
Subject Re: [users@httpd] virtual host?
Date Tue, 07 Jan 2003 15:45:56 GMT


Jalene Joyner wrote:
> Here is a sampling of what I am seeing in the access.log file:
> 
> 66.1.198.201 - - [29/Dec/2002:07:00:44 -0600] "GET
> /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 - "-" "-"
> 66.1.198.201 - - [29/Dec/2002:07:00:44 -0600] "GET
> /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 - "-" "-"
> 66.1.198.201 - - [29/Dec/2002:07:00:45 -0600] "GET
> /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 - "-" "-"
> 66.1.198.201 - - [29/Dec/2002:07:00:45 -0600] "GET
> /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 - "-" "-"

these are nimda virus looking for corruptable iis on windows machine.


> 1.2.3.4 - - [29/Dec/2002:20:41:12 -0600] "GET / HTTP/1.1" 200 689 "-"
> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"
> 1.2.3.4 - - [29/Dec/2002:20:41:16 -0600] "GET / HTTP/1.1" 200 148 "-"
> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"
> 1.2.3.4 - - [29/Dec/2002:20:41:21 -0600] "GET / HTTP/1.1" 200 182 "-"
> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"
> 1.2.3.4 - - [29/Dec/2002:20:41:52 -0600] "OPTIONS / HTTP/1.1" 200 - "-"
> "Microsoft-WebDAV-MiniRedir/5.1.2600"
> 1.2.3.4 - - [29/Dec/2002:20:41:52 -0600] "PROPFIND /tic HTTP/1.1" 404
> 279 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
> 170.94.250.103 - - [29/Dec/2002:20:41:52 -0600] "PROPFIND /tic HTTP/1.1"
> 404 279 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
> 1.2.3.4 - - [29/Dec/2002:20:42:05 -0600] "PROPFIND /tic HTTP/1.1" 404
> 279 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
> 1.2.3.4 - - [29/Dec/2002:20:42:05 -0600] "PROPFIND /tic HTTP/1.1" 404
> 279 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
> 1.2.3.4 - - [29/Dec/2002:20:42:21 -0600] "PROPFIND /tic HTTP/1.1" 404
> 279 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
> 1.2.3.4 - - [29/Dec/2002:20:42:21 -0600] "PROPFIND /tic HTTP/1.1" 404
> 279 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
> 1.2.3.4 - - [29/Dec/2002:20:42:28 -0600] "PROPFIND /tic HTTP/1.1" 404
> 279 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
> 1.2.3.4 - - [29/Dec/2002:20:42:28 -0600] "PROPFIND /tic HTTP/1.1" 404
> 279 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
> 1.2.3.4 - - [29/Dec/2002:20:54:54 -0600] "OPTIONS / HTTP/1.1" 200 - "-"
> "Microsoft-WebDAV-MiniRedir/5.1.2600"
> 1.2.3.4 - - [29/Dec/2002:20:54:54 -0600] "PROPFIND /tic HTTP/1.1" 404
> 279 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
> 1.2.3.4 - - [29/Dec/2002:21:10:05 -0600] "OPTIONS / HTTP/1.1" 200 - "-"
> "Microsoft-WebDAV-MiniRedir/5.1.2600"
> 1.2.3.4 - - [29/Dec/2002:21:10:05 -0600] "PROPFIND /planning HTTP/1.1"
> 404 284 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
> 1.2.3.4 - - [29/Dec/2002:21:11:19 -0600] "OPTIONS / HTTP/1.1" 200 - "-"
> "Microsoft-WebDAV-MiniRedir/5.1.2600"
> 1.2.3.4 - - [29/Dec/2002:21:11:19 -0600] "PROPFIND /planning HTTP/1.1"
> 404 284 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
> 1.2.3.4 - - [29/Dec/2002:21:12:03 -0600] "PROPFIND /techarch HTTP/1.1"
> 404 284 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
> 1.2.3.4 - - [29/Dec/2002:21:12:26 -0600] "PROPFIND /tic HTTP/1.1" 404
> 279 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"

these are a .net server looking for another .net server to expand the list

> 170.94.251.29 - - [29/Dec/2002:21:23:13 -0600] "POST
> /_mmServerScripts/MMHTTPDB.php HTTP/1.1" 200 128 "-" "MMHttp"
> 170.94.251.29 - - [29/Dec/2002:21:23:13 -0600] "POST
> /_mmServerScripts/MMHTTPDB.php HTTP/1.1" 200 214 "-" "MMHttp"
> 170.94.251.29 - - [29/Dec/2002:21:23:22 -0600] "POST
> /_mmServerScripts/MMHTTPDB.php HTTP/1.1" 200 214 "-" "MMHttp"
> 170.94.251.29 - - [29/Dec/2002:21:23:48 -0600] "POST
> /_mmServerScripts/MMHTTPDB.php HTTP/1.1" 200 213 "-" "MMHttp"


> 
> 
> 
> -----Original Message-----
> From: Gary Turner [mailto:kk5st@sbcglobal.net] 
> Sent: Monday, January 06, 2003 4:46 PM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] virtual host?
> 
> Jalene Joyner wrote:
> 
> 
>>I have set up an Apache server (1.3.27) on a Redhat linux 7.3 with 3-4
>>virtual ip addresses configured.  One of my virtual servers is
>>broadcasting messages over the intranet looking for a wins server.  How
>>can I get this turned off and/or is this in fact an apache problem?  Or
>>a network configuration problem on the Redhat side?  
> 
> 
> In the general sense, messages are not broadcast.  Also, Linux and
> Apache are not normally susceptible to viral or worm infections.  Are
> you seeing something like this in your access.log?
> 
> $tail /var/log/apache/access.log
> 65.71.73.123 - - [06/Jan/2003:15:12:40 -0600] "GET
> /scripts/root.exe?/c+dir HTTP/1.0" 404 281 "-" "-"
> 65.71.73.123 - - [06/Jan/2003:15:12:41 -0600] "GET
> /MSADC/root.exe?/c+dir HTTP/1.0" 404 279 "-" "-"
> 65.71.73.123 - - [06/Jan/2003:15:12:41 -0600] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 289 "-" "-"
> 65.71.73.123 - - [06/Jan/2003:15:12:41 -0600] "GET
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 289 "-" "-"
> 65.71.73.123 - - [06/Jan/2003:15:12:41 -0600] "GET
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303 "-"
> "-"
> 65.71.73.123 - - [06/Jan/2003:15:12:45 -0600] "GET
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 320 "-" "-"
> 65.71.73.123 - - [06/Jan/2003:15:12:45 -0600] "GET
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 320 "-" "-"
> 65.71.73.123 - - [06/Jan/2003:15:12:49 -0600] "GET
> /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winn
> t/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 336 "-" "-"
> 65.71.73.123 - - [06/Jan/2003:15:12:49 -0600] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 302 "-"
> "-"
> 65.71.73.123 - - [06/Jan/2003:15:12:50 -0600] "GET
> /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 302 "-"
> "-"
> 
> If so, you are seeing attempts by an infected Microsoft system to crack
> your server.  Google NIMDA for more info (see the CERN ref).
> 
> If you're seeing something else, post the evidence you're seeing.
> --
> gt                  kk5st@sbcglobal.net
>  If someone tells you---
>  "I have a sense of humor, but that's not funny." 
>                                   ---they don't.
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message