Hi,

i found this entries in my Apache access log:

60.232.169.145 - - [10/Mar/2005:06:39:35 +0100] "GET 
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 
HTTP/1.0" 404 331
68.142.251.73 - - [10/Mar/2005:08:10:28 +0100] "GET /robots.txt 
HTTP/1.0" 404 330
68.142.250.21 - - [10/Mar/2005:08:10:29 +0100] "GET /CGI_TEST.html 
HTTP/1.0" 304 -

are these attacks ?

1. "GET /default.ida?XXXXXXX...
	is this the attempt to try a buffer overflow ?
2. "GET /robots.txt 			
	does someone wants to know my subdirs or is it a robot ?
3. 68.142.250.21 - - [10/Mar/2005:08:10:29 +0100] "GET /CGI_TEST.html 
HTTP/1.0" 304 -

Can I see in this log if someone got into my Apacheserver ?

Bye
Hubert

----------------

My Homepage:

german  - www.familie-brandel.de/index.htm
english - www.familie-brandel.de/index_e.htm

Hi,
this is my Server error log:

D:/WWW_SITE_SERVER/Normal/favicon.ico
[Thu Mar 10 00:11:30 2005] [error] [client 84.171.147.24] File does not 
exist: D:/WWW_SITE_SERVER/Normal/favicon.ico
[Thu Mar 10 00:11:33 2005] [error] [client 84.171.147.24] File does not 
exist: D:/WWW_SITE_SERVER/Normal/favicon.ico
[Thu Mar 10 06:39:35 2005] [error] [client 60.232.169.145] File does not 
exist: D:/WWW_SITE_SERVER/Normal/default.ida
[Thu Mar 10 08:10:28 2005] [error] [client 68.142.251.73] File does not 
exist: D:/WWW_SITE_SERVER/Normal/robots.txt
[Thu Mar 10 18:24:00 2005] [error] [client 192.168.0.100] File does not 
exist: D:/WWW_SITE_SERVER/Normal/favicon.ico
[Sun Mar 13 01:17:04 2005] [warn] (OS 64)Der angegebene Netzwerkname ist 
nicht mehr verfügbar.  : winnt_accept: Asynchronous AcceptEx failed.
[Sun Mar 13 05:11:04 2005] [error] [client 81.168.227.239] script not 
found or unable to stat: D:/WWW_SITE_SERVER/cgi-bin/awstats.pl
[Sun Mar 13 05:11:05 2005] [error] [client 81.168.227.239] File does not 
exist: D:/WWW_SITE_SERVER/Normal/awstats
[Sun Mar 13 13:36:21 2005] [notice] Parent: Created child process 824
[Sun Mar 13 13:36:26 2005] [notice] Child 824: Child process is running
[Sun Mar 13 13:36:26 2005] [notice] Child 824: Acquired the start mutex.
[Sun Mar 13 13:36:26 2005] [notice] Child 824: Starting 250 worker threads.
[Sun Mar 13 20:08:24 2005] [error] [client 66.196.90.91] File does not 
exist: D:/WWW_SITE_SERVER/Normal/robots.txt
[Sun Mar 13 23:37:22 2005] [error] [client 84.171.130.43] File does not 
exist: D:/WWW_SITE_SERVER/Normal/favicon.ico
[Mon Mar 14 12:31:33 2005] [error] [client 68.142.251.86] File does not 
exist: D:/WWW_SITE_SERVER/Normal/robots.txt
[Wed Mar 16 22:53:03 2005] [notice] Parent: Created child process 132
[Wed Mar 16 22:53:04 2005] [notice] Child 132: Child process is running
[Wed Mar 16 22:53:05 2005] [notice] Child 132: Acquired the start mutex.
[Wed Mar 16 22:53:05 2005] [notice] Child 132: Starting 250 worker threads.

1. does the ... File does not exist ... tell me, that the server was NOT 
cracked ?
2. the last 4 lines looks like someone made a big load of threads on my 
server ?

Bye
Hubert

----------------

My Homepage:

german  - www.familie-brandel.de/index.htm
english - www.familie-brandel.de/index_e.htm

Hubert Brandel wrote:

> [Sun Mar 13 05:11:04 2005] [error] [client 81.168.227.239] script not 
> found or unable to stat: D:/WWW_SITE_SERVER/cgi-bin/awstats.pl

This is an attempt to exploit a recently detected error in the open source
web log statistics tool AwStats. Obviously you are not running this tool.

> 1. does the ... File does not exist ... tell me, that the server was NOT 
> cracked ?

No, it tells you that someone requested a resource on your server that was
not available. But there may be security holes that base on this.

> 2. the last 4 lines looks like someone made a big load of threads on my 
> server ?

No, this is the normal startup message of Apache, see the log of my local
test server of the last 5 Days:

[Mon Mar 14 08:03:51 2005] [notice] Parent: Created child process 3308
[Mon Mar 14 08:03:53 2005] [notice] Child 3308: Child process is running
[Mon Mar 14 08:03:53 2005] [notice] Child 3308: Acquired the start mutex.
[Mon Mar 14 08:03:53 2005] [notice] Child 3308: Starting 250 worker threads.
[Tue Mar 15 07:47:14 2005] [notice] Parent: Created child process 3124
[Tue Mar 15 07:47:20 2005] [notice] Child 3124: Child process is running
[Tue Mar 15 07:47:20 2005] [notice] Child 3124: Acquired the start mutex.
[Tue Mar 15 07:47:20 2005] [notice] Child 3124: Starting 250 worker threads.
[Wed Mar 16 07:48:28 2005] [notice] Parent: Created child process 3152
[Wed Mar 16 07:48:30 2005] [notice] Child 3152: Child process is running
[Wed Mar 16 07:48:30 2005] [notice] Child 3152: Acquired the start mutex.
[Wed Mar 16 07:48:30 2005] [notice] Child 3152: Starting 250 worker threads.
[Thu Mar 17 07:59:56 2005] [notice] Parent: Created child process 3224
[Thu Mar 17 07:59:57 2005] [notice] Child 3224: Child process is running
[Thu Mar 17 07:59:57 2005] [notice] Child 3224: Acquired the start mutex.
[Thu Mar 17 07:59:58 2005] [notice] Child 3224: Starting 250 worker threads.
[Fri Mar 18 07:55:26 2005] [notice] Parent: Created child process 3252
[Fri Mar 18 07:55:27 2005] [notice] Child 3252: Child process is running
[Fri Mar 18 07:55:27 2005] [notice] Child 3252: Acquired the start mutex.
[Fri Mar 18 07:55:27 2005] [notice] Child 3252: Starting 250 worker threads.

HTH
Thomas

Hubert,
exactly! You are guessing right!
I get those types several times a week - but those kiddies do not have any 
chance to do anything harmful to me as I am using XB2.NET as a server.
I have attached some of my log entries - as you can see they were trying to 
get my directory structure.
There were even worse attacks than that - but all of them to no avail so far 


Regards,
Martin

Hubert Brandel wrote:

> 60.232.169.145 - - [10/Mar/2005:06:39:35 +0100] "GET 
> /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 
> HTTP/1.0" 404 331

This someone trying to exploit a widely known IIS security hole. IIRC it is
closed since a long time but there are still thousands of web servers
running old and unpatched versions of IIS.

> 68.142.251.73 - - [10/Mar/2005:08:10:28 +0100] "GET /robots.txt 
> HTTP/1.0" 404 330

This is OK, only something like google tried to index your pages and
requested robots.txt -> search google for the meaning of robots.txt

> 68.142.250.21 - - [10/Mar/2005:08:10:29 +0100] "GET /CGI_TEST.html 
> HTTP/1.0" 304 -
> 
> are these attacks ?

Not neccesarily.

> Can I see in this log if someone got into my Apacheserver ?

I don't think so.

Running a server in a secure way is based on several actions:

- Get rid of every software that is not needed on the server, especially
when running a Windows based server, deactivate all services which are not
needed. This way, you are reducing the potential surface for attacks.

- Read security related news on a regular basis to find out about new
security holes or exploits.

- Keep all of the servers software up to date

- Limit external access by using a firewall system

HTH
Thomas Braun

Hubert, Thomas,

> This someone trying to exploit a widely known IIS security hole. IIRC it is
> closed since a long time but there are still thousands of web servers
> running old and unpatched versions of IIS.

Someone, or something.

I would not know which virus this is in particular, but there are several
viruses known to exploit buffer overflows, and I bet this is also one.

And it was so quiet lately ((

Regards,
Frans Vermeulen

> > Can I see in this log if someone got into my Apacheserver ?
>
> I don't think so.

You can configure apache to redirect faulty requests to another log.
This limits the amount of suspicious entries in your acces.log

> Running a server in a secure way is based on several actions:
>
> - Get rid of every software that is not needed on the server, especially
> when running a Windows based server, deactivate all services which are not
> needed. This way, you are reducing the potential surface for attacks.

Very true, this is basic/absolute neccecary to be secure.

Frans Vermeulen wrote:

>> This someone trying to exploit a widely known IIS security hole. IIRC it is
>> closed since a long time but there are still thousands of web servers
>> running old and unpatched versions of IIS.
> 
> Someone, or something.

Ah yes, very right... there are uncounted self-spreading attack programs
"in the wild" that are using hijacked web servers as their operating base.

@Hubert: One possible way to find out if your server isn't yours anymore is
monitoring all connections with an external device... using something
like tcpview on the server itself could give false results as the OS may
be changed to hide connections or intercept tcpviews operations.

> I would not know which virus this is in particular, but there are several
> viruses known to exploit buffer overflows, and I bet this is also one.
> 
> And it was so quiet lately ((

It is never quiet... you just have to listen carefully enough 

When looking at my web server statistics, there are many attempts to get
through. There is someone constantly trying to use an exploit of open ssh
to get in here but I have updated a long time ago, so it is just a PITA
because the Windows event log is filling up with messages from sshd...

Thomas Braun

Hi,

just for info, my server is behind a hardware firewall which is part of 
my DSL Router. He is accessed as a virtual host to port 80 and the 443.

Bye
Hubert