PDA

Click to See Complete Forum and Search --> : Odd file requests

rogair
09-20-2001, 11:38 AM
One of my servers just got hit with a bunch of strange file requests. They are clearly directed towards a windows server (which this is not). Here are a few of the requests.

/scripts/..%5c../winnt/system32/cmd.exe
/scripts/root.exe
/MSADC/root.exe
/c/winnt/system32/cmd.exe

And MANY others. There were a few thousand of these type of requests just yesterday. Anyone seen this type of request before and know what it may be. Are they automated hacker tools? I don't run any windows webservers so I've not seen this before, nor do I know standard locations for files.

Thanks
toma42
09-20-2001, 12:17 PM
it's a new worm. Below are my countermeasures put in a virtual server which is accessible by ip only.

1. script called scripts with a .htaccess file like this:
<Files scripts>
ForceType application/x-httpd-php
</Files>
<Files msadc>
ForceType application/x-httpd-php
</Files>
<Files _vti_bin>
ForceType application/x-httpd-php
</Files>

_vti_bin and msadc are symlinks to scripts.

this is the body of scripts:
<?
/**
* This script will block any ip address which tries to exploit
* known IIS bugs. The ip will be blocked for this web site by
* ip only (so ets.dhs.org will still work) and it will add the
* ip to the hosts.deny file
*/

set_time_limit(0);

// Block the ip from http
error_log("Deny from $REMOTE_ADDR\n", 3, '/var/www/iponly/.htaccess');

// Add to user readable log
error_log(date("M d Y H:i.s") . " - $REMOTE_ADDR blocked because of $REQUEST_URI
\n", 3, "/var/www/iponly/blocklog");

// Block the ip from server
error_log("All: $REMOTE_ADDR\n", 3, '/etc/hosts.deny');

error_log(`smbclient //$REMOTE_ADDR/C$ -N -I $REMOTE_ADDR < /var/www/iponly/notify` . "\n\n", 3, '/var/www/iponly/smblog');
?>

this is the text of notify:
PUT You_Are_Infected.txt

this is the text of You_Are_Infected.txt:
"
This computer tried to infect my computer. My computer put this text file here
automatically to let you know you are infected.

You can get more information here:
http://www.newsbytes.com/news/01/170225.html
http://www.sarc.com/avcenter/venc/data/w32.nimda.a@mm.html
http://www.trusecure.com/html/tspub/hypeorhot/rxalerts/tsa01024_cid177.shtml
"

It's working really well for me. my stats show 90% of the machines hitting me are win NT and 10% are win 2000.
rogair
09-20-2001, 01:32 PM
Thanks for the info.

Roger