Heads Up - something new I fear..
This is a discussion on Heads Up - something new I fear.. within the Apache Web Server forums, part of the Web Server and Related Forums category; Salutations: I picked up something new in the logs today - turn word wrap off this will be easier to read: ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
10-11-2003
|
|||
|
|||
Heads Up - something new I fear..
Salutations:
I picked up something new in the logs today - turn word wrap off this will be easier to read: 80.142.110.85 - - [10/Oct/2003:16:58:18 -0300] "GET /error/%5c%2e%2e%5clogs%5cinstall.log HTTP/1.1" 200 1029 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" 80.142.110.85 - - [10/Oct/2003:16:58:21 -0300] "GET /error/%5c%2e%2e%5cconf%5chttpd.conf HTTP/1.1" 200 34590 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" This successfully read both relevant files and then proceeded to attempt: 80.142.110.85 - - [10/Oct/2003:16:58:23 -0300] "GET /cgi-bin/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2 e%2e%5c%2e%2e%5cwinnt%5csystem32%5ccmd.exe?/c+dir+c:>>c:\dir.txt HTTP/1.1" 301 430 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" 80.142.110.85 - - [10/Oct/2003:16:58:23 -0300] "GET /cgi-bin/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2 e%2e%5c%2e%2e%5cwinnt%5csystem32%5ccmd.exe?/c+dir+c:>>c:\dir.txt HTTP/1.1" 301 430 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" 80.142.110.85 - - [10/Oct/2003:16:58:25 -0300] "GET /cgi-bin/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2 e%2e%5c%2e%2e%5cwindows%5csystem32%5ccmd.exe?/c+dir+c:>>c:\dir.txt HTTP/1.1" 301 430 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" I had been working on a 'Return to Sender' scheme some time ago so that the 301 codes are not successful on *my* machine - however this has all the ear marks of being fairly serious worm for windows apache installs.. Perhaps others as well - I'm not sure - I suppose it depends on what it knows about the system involved.. I haven't tried it on *nix yet - perhaps someone should.. Which is pretty much everything given what it calls in the first two lines and responses with in the subsequent three.. I am not finding anything about it at google except a locked down German Government security forum (probe IP traces to Germany) and a couple of Log reports from .nl and .nu.. I've kicked this to Apache and CERT as a heads up - no word back from anyone there (it's late Friday) - soooo - I'm not sure what else to do. I'm using a 2.+ RedirectMatch & {REMOTE_ADDR} scheme here to handle it - if you know how - I would strongly advise you do the same adding whatever directories or files you want protected. Cheers and good luck.. Hope I'm wrong - not sure I am.. -- J Dexter - webmaster - http://www.dexterdyne.org/ all tunes - no cookies no subscription no weather no ads no news no phone in - RealAudio 8+ Required - all the Time Radio Free Dexterdyne Top Tune o'be-do-da-day Louis Prima Keely Smith - Hey Boy Hey Girl http://www.dexterdyne.org/888/146.RAM |
|
10-11-2003
|
|||
|
|||
|
Re: Heads Up - something new I fear..
Dexter J <lamealameadingdong@lamelamelame.org> wrote:
> 80.142.110.85 - - [10/Oct/2003:16:58:18 -0300] "GET /error/%5c%2e%2e%5clogs%5cinstall.log HTTP/1.1" 200 1029 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" > 80.142.110.85 - - [10/Oct/2003:16:58:21 -0300] "GET /error/%5c%2e%2e%5cconf%5chttpd.conf HTTP/1.1" 200 34590 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" I have the idea that those things works only if your DocumentRoot is phisically inside the apache installation directory. Put the docroot somewhere else and you should be fine. Anyway, I'll try something today (it rains) and will post an update later. Davide |
|
10-11-2003
|
|||
|
|||
|
Re: Heads Up - something new I fear..
Davide Bianchi <davideyeahsure@onlyforfun.net> wrote:
> Anyway, I'll try something today (it rains) and will post an update > later. Ok, tried on three different machine (two Linux/Intel and one Solaris/Sparc). Those kind of things just return a "400" error. Davide |
|
10-11-2003
|
|||
|
|||
|
Re: Heads Up - something new I fear..
Salutations:
Davide Bianchi wrote: > > Dexter J <lamealameadingdong@lamelamelame.org> wrote: > > 80.142.110.85 - - [10/Oct/2003:16:58:18 -0300] "GET /error/%5c%2e%2e%5clogs%5cinstall.log HTTP/1.1" 200 1029 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" > > 80.142.110.85 - - [10/Oct/2003:16:58:21 -0300] "GET /error/%5c%2e%2e%5cconf%5chttpd.conf HTTP/1.1" 200 34590 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" > > I have the idea that those things works only if your DocumentRoot is > phisically inside the apache installation directory. Put the docroot > somewhere else and you should be fine. > > Anyway, I'll try something today (it rains) and will post an update > later. > > Davide Thx for testing, no word back from anyone in authority regarding this. Nope - my doc root/CGI was in an entirely different spot. Error alias *was* default though.. Not anymore though.. So I'm still guessing this is beast may be Win Apache specific - but - are you running a bone stock install on *nix?. I first thought it might be related to the OpenSSL advisory - but haven't been able to find any matches along that line. Hey - if I'm the first to report it - I wonder if I get to name it?.. -- J Dexter - webmaster - http://www.dexterdyne.org/ all tunes - no cookies no subscription no weather no ads no news no phone in - RealAudio 8+ Required - all the Time Radio Free Dexterdyne Top Tune o'be-do-da-day Kathy Matea - 455 Rocket http://www.dexterdyne.org/888/051.RAM |
|
10-11-2003
|
|||
|
|||
|
Re: Heads Up - something new I fear..
Salutations:
Davide Bianchi wrote: > > In alt.apache.configuration Dexter J <lamealameadingdong@lamelamelame.org> wrote: > > are you running a bone stock install on *nix?. > > Nope. Never did. Never will. > > Davide Me either usually - but this one slipped through the cracks as I was focusing on Code Red/Klez at the time.. Well if anyone is running apache 2.+ and wants to try a test - simply cut 'N paste: your.server.ip/error/%5c%2e%2e%5clogs%5cinstall.log or your.server.ip/error/error/%5c%2e%2e%5cconf%5chttpd.conf It's not hard to secure using redirectmatch - but it's closing the barn door after the fact in my opinion. Maybe it's just someone rattling doors.. But it's the darned 'maybe' that bothers me. It's turned up in another AWSTATS file this morning when I googled: /error/%5c%2e%2e%5clogs%5cinstall.log Anyway - that's all I have to offer. Interested if anyone else starts to see it. -- J Dexter - webmaster - http://www.dexterdyne.org/ all tunes - no cookies no subscription no weather no ads no news no phone in - RealAudio 8+ Required - all the Time Radio Free Dexterdyne Top Tune o'be-do-da-day Kathy Matea - 455 Rocket http://www.dexterdyne.org/888/051.RAM |
|
10-11-2003
|
|||
|
|||
|
Re: Heads Up - something new I fear..
(corrected reported)
Salutations: Davide Bianchi wrote: > > In alt.apache.configuration Dexter J <lamealameadingdong@lamelamelame.org> wrote: > > are you running a bone stock install on *nix?. > > Nope. Never did. Never will. > > Davide Me either usually - but this one slipped through the cracks as I was focusing on Code Red/Klez at the time.. Well if anyone is running apache 2.+ and wants to try a test - simply cut 'N paste: your.server.ip/error/%5c%2e%2e%5clogs%5cinstall.log or your.server.ip/error/%5c%2e%2e%5cconf%5chttpd.conf It's not hard to secure using redirectmatch - but it's closing the barn door after the fact in my opinion. Maybe it's just someone rattling doors.. But it's the darned 'maybe' that bothers me. It's turned up in another AWSTATS file this morning when I googled: /error/%5c%2e%2e%5clogs%5cinstall.log Anyway - that's all I have to offer. Interested if anyone else starts to see it. -- J Dexter - webmaster - http://www.dexterdyne.org/ all tunes - no cookies no subscription no weather no ads no news no phone in - RealAudio 8+ Required - all the Time Radio Free Dexterdyne Top Tune o'be-do-da-day Kathy Matea - 455 Rocket http://www.dexterdyne.org/888/051.RAM |
|
10-12-2003
|
|||
|
|||
|
Re: Heads Up - something new I fear..
In article <3F882797.A8C4825C@lamelamelame.org>,
lamealameadingdong@lamelamelame.org says... <!snip> > >your.server.ip/error/%5c%2e%2e%5clogs%5cinstall.log > >or > >your.server.ip/error/%5c%2e%2e%5cconf%5chttpd.conf > <!snip> I tried this on my set-up (MacOS X 10.2.8, Apache 2.x) and it did not respond with anything from my server, except my 404 redirect. I do not have my 'document-root' anywhere near the Apache install, and use several different aliases for other directories. Maybe it is just an attack on WinDoze IIS boxes, but somehow can leak into Apache. Question, is %5c the html code for '/'? |
|
10-12-2003
|
|||
|
|||
|
Re: Heads Up - something new I fear..
Salutations:
James Hagemann wrote: > > In article <3F882797.A8C4825C@lamelamelame.org>, > lamealameadingdong@lamelamelame.org says... > > <!snip> > > > > >your.server.ip/error/%5c%2e%2e%5clogs%5cinstall.log > > > >or > > > >your.server.ip/error/%5c%2e%2e%5cconf%5chttpd.conf > > > > <!snip> > > I tried this on my set-up (MacOS X 10.2.8, Apache 2.x) and it did not respond > with anything from my server, except my 404 redirect. > > I do not have my 'document-root' anywhere near the Apache install, and use > several different aliases for other directories. > > Maybe it is just an attack on WinDoze IIS boxes, but somehow can leak into > Apache. Thx for the feedback - much appreciated.. I'm not sure it hits IIS as I don't have an IIS machine to test - doesn't seem like it should. However - it most certainly does hit windows apache default installs and *isn't* hitting document root - it goes for the default install directories for install.log then may be reacting to config information gleaned.. Or not.. Maybe it's simply a flat script. I'm actually in the middle of a project and can't test this any deeper (hence the crappy incident reporting and chatter - sorry). I did a fast redirectmatch work around to turn it away and it worked - you know - until I can fix this properly.. Is there anyone out there that has a *default* Apache install (windows and otherwise) and some time to hardtest this? It doesn't seem to be related to document root so much as default install artefacts and directories. (google thread on this so far - word wrap off for link): http://groups.google.ca/groups?dq=&h...melamelame.org Gotta get back to work here - but as a foot note to this - about 2 or 3 hours later my mail server suddenly picked up a fast wave of spam attempts with the source IP range (t-dialin) buried in the middle. Maybe nothing - but that's what I have so far.. -- J Dexter - webmaster - http://www.dexterdyne.org/ all tunes - no cookies no subscription no weather no ads no news no phone in - RealAudio 8+ Required - all the Time Radio Free Dexterdyne Top Tune o'be-do-da-day Margret & Hirt - Baby Its Cold Outside http://www.dexterdyne.org/888/099.RAM |
Linear Mode
