note on security paranoia [wasRe: [oclug]Apache Logs]
Vic Gedris
vic at gedris.org
Wed Oct 30 16:02:10 EST 2002
Sorry Shad, but the log entries below are *definitely* indications of
exploit attempts. Yes, they are trying to access files on an NT server
(with Frontpage in the second example), but they are trying to run
exploits.
Look at how the second log entry is accessed. The attack tries to use a
common "../../../path/to/system/executables" style of attack, to try and
fool the web server into running something that it's not supposed to
run.
Specifically, this looks like Nimda:
http://www.cert.org/advisories/CA-2001-26.html
-Vic
On Wed, 30 Oct 2002, Shad Young wrote:
> 2) Lack of understanding of non Linux protocols. In your particular case, as
> I watch the flood of misinformation come in, the lack of understanding of MS
> FrontPage's .net extensions and other non Linux RPC get said protocols
> labeled as hack attempts.
> ----- Original Message -----
> From: "Brian's Linux Box" <b_mckee at myrealbox.com>
> To: <oclug at lists.oclug.on.ca>
> Sent: Wednesday, October 30, 2002 1:21 PM
> Subject: [oclug]Apache Logs
>
>
> > [Sun Oct 27 07:41:42 2002] [error] [client XX.XX.XX.XX] File does not
> exist:
> > /var/www/html/MSADC/root.exe
> >
> > And
> > [Sun Oct 27 07:42:04 2002] [error] [client XX.XX.XX.XX] File does not
> exist:
> > /var/www/html/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
--
-----------------------------------------------------------------------
Vic Gedris vic-at-gedris.org http://vic.dyndns.org/
-----------------------------------------------------------------------
More information about the OCLUG
mailing list