[CLUE-Tech] annoying attempts to compromise web server
Chris Dos
chris at chrisdos.com
Wed Oct 13 11:21:06 MDT 2004
Joseph A. Nagy, Jr. wrote:
> On Wed, Oct 13, 2004 at 09:38:52AM -0600, Charles Oriez wrote the following:
>
>>At 09:15 AM 10/13/2004, Bruce Ediger wrote:
>>
>>
>>>On Wed, 13 Oct 2004, mike havlicek wrote:
>>>
>>>
>>>>of my linux boxes. Over the last 2 days or so apache
>>>>has been logging (in access_log) attempts from a
>>>>particular IP trying to "run" things like:
>>>>
>>>>67.165.178.202 - - [13/Oct/2004:07:49:58 -0600] "GET
>>>>/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir
>>>>HTTP/1.0" 404 972 "-" "-"
>>>>
>>>>every 30 to 40 minutes.
>>>>
>>>>Any suggestions on how to deal with this sort of
>>>>thing?
>>>
>>>At one point, (during NIMDA's reign of terror) I put a file full of junk
>>>under the document root directory, in a subdirectory matching what
>>>NIMDA's HTTP requests asked for. I guess it used some of my outgoing
>>>bandwidth to send junk bytes to various NIMDA's, but at least I had a
>>>little
>>>satisfaction.
>>>
>>>The other thing you could do is put a file in place that would give
>>>back a DIR-like listing to the program in question. It might use up
>>>a little bit more of the script kiddie's time, getting him/her/it to
>>>look through the listing to decide if he/she/it had an exploit.
>>
>>
>>or redirect it to microsoft.com so that microsoft could inform them that
>>their machine is owned
>>
>>I'm wondering if something could be put in httpd.conf that would function
>>as a honeypot
>
>
> I used to use sugarplum to handle those, now I just ignore them (too lazy to
> reset up sugarplum).
>
This is a common worm. I've been seeing this for the last three years. If
you want to add protection, set up a iptables firewall, snort, and guardian
to make the firewall active, then you can react to attacks and block futher
attempts.
Chris
More information about the clue-tech
mailing list