note on security paranoia [wasRe: [oclug]Apache Logs]

Vic Gedris vic at gedris.org
Wed Oct 30 16:54:47 EST 2002 

On Wed, 30 Oct 2002, Shad Young wrote:

> Ack, I hate getting into this... but from your very own source...
>
> "This worm propagates through email arriving as a MIME
> "multipart/alternative" message consisting of two sections. The first
> section is defined as MIME type "text/html", but it contains no text, so the
> email appears to have no content. The second section is defined as MIME type
> "audio/x-wav", but it contains a base64-encoded attachment named
> "readme.exe", which is a binary executable. "
>
> So he needs to be infected *before* it shows up in his web logs. This looks
> like something scanned for a vulnerability, see item four below.

Hey Shad,

I don't think you read the whole CERT advisory.  :)  Yes, Nimda
propogates via email attachments, infected web pages, windows file
shares....
But:  When it's executed, it goes out looking for web servers that it
can exploit, or that have already been exploited by other worms.

Quote (http://www.cert.org/advisories/CA-2001-26.html):
The CERT/CC has received reports of new malicious code known as the
"W32/Nimda worm" or the "Concept Virus (CV) v.5." This new worm appears
to spread by multiple mechanisms:
    * from client to client via email
    * from client to client via open network shares
    * from web server to client via browsing of compromised web sites
    * from client to web server via active scanning for and exploitation
      of various Microsoft IIS 4.0 / 5.0 directory traversal
      vulnerabilities (VU#111677 and CA-2001-12)
    * from client to web server via scanning for the back doors left
      behind by the "Code Red II" (IN-2001-09), and "sadmind/IIS"
      (CA-2001-11) worms

You do *NOT* need to be infected to have this show up in your logs.  All
it takes is an attempt at infection/exploit via an HTTP request.

> Secondly there are many things that make similar calls, including FrontPage
> Extensions in apache which make that error when it can not access the files
> in the way it was told to, either by installing them by mistake or adding
> them by design.

I get my fair share of these log entries too, from hosts all over the
world (most recent was videotron, Quebec, but others from Taiwan,
etc...).  I have never, nor will I ever, have Frontpage Extensions
installed on my home web server.  I have also not had a single MS
product (besides their free fonts ;-) installed on any of my machines in
years.  Those log entries are most definitely NOT local Frontpage
errors, but remote attempts to access Frontpage extensions that don't
exist.

> Thirdly, the log output itself is significantly different with the exception
> of the system call. How can any script execute if it can't call its command
> interpreter? A great deal more of the log is required before a true
> representation can be had.

Two ways:
1) Use a previously-installed exploit (e.g. Code Red II) to execute
   stuff
2) Use the "../../../.." style exploit that I already mentioned.

> Fourthly, ISPs regularly run scans for services that have known
> vulnerabilities. They do this to protect themselves. These scans often show
> up in logs and are not always going to be easy to discern. They know that
> many of the users have "iced" there machines and they need to peak around
> the back door too. This looked like something sought and did not find a
> vulnerability.. That does not constitute an attack. Just a scan. And likely
> an innocent one.

ISPs from around the world shouldn't be scanning me. ;-)  I've checked a
few of the hosts that have tried to infect me.  They've usually been small
businesses, schools, someone's windows box on their cable connection....
Plus, those type of log entries are usually NOT accompanied by other
normal log entries (index.html, other web pages, etc)....just the
exploitable stuff.

> I think you guys are wrong. But you are right in that it is worth securing
> against. FrontPage Extensions are insecure. get rid of em if they exist. The
> log entries are just not worth getting excited about. It could be a thousand
> innocent things. Trying to block them or fix them could just lock you out of
> your own proxy server or god knows what else and thus slow or blow your
> whole internet.

Hey...I agree with you.  :)  They're not really worth getting worried
about *if you don't run IIS/MS*.  I'm quite amused by this stuff,
actually.

Hey....what do you think of *this* log entry?  :)
access_log.4:156.26.108.3 - - [06/Oct/2002:01:43:42 -0400] "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 400 323 "-" "-"

Cheers,
Vic

-- 
-----------------------------------------------------------------------
Vic Gedris           vic-at-gedris.org           http://vic.dyndns.org/
-----------------------------------------------------------------------

More information about the OCLUG mailing list