I was just casually checking my access logs on Apache (v1.3.29 on Debian GNU/Linux testing/unstable) and found the following:
Part 1:
10.10.180.2 - - [08/Feb/2004:17:47:37 +0530] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 271 "-" "-" 10.10.180.2 - - [08/Feb/2004:19:17:29 +0530] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 271 "-" "-" 10.10.73.21 - - [08/Feb/2004:19:32:07 +0530] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 271 "-" "-" 10.10.73.21 - - [08/Feb/2004:19:56:16 +0530] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 271 "-" "-" 10.10.73.21 - - [08/Feb/2004:20:17:33 +0530] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 271 "-" "-" 10.10.180.2 - - [08/Feb/2004:20:45:28 +0530] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 271 "-" "-" 10.10.180.2 - - [08/Feb/2004:21:12:51 +0530] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 271 "-" "-"
Part 2:
211.161.172.142 - - [09/Feb/2004:02:09:21 +0530] "\x04\x01" 501 - "-" "-" 211.161.172.142 - - [09/Feb/2004:02:09:41 +0530] "\x05\x01" 501 - "-" "-" 211.161.172.142 - - [09/Feb/2004:02:09:45 +0530] "CONNECT 211.150.96.21:25 HTTP/1.1" 405 313 "-" "-"
From what I know, in Part 1, someone is trying to cause some kind of overflow with the request string and in part 2
someone is trying to access another system's SMTP port through my web server.
What I want to know is that is it possible to know whether the cracker was successful in his attempts and secondly, how much of a threat this is to me.
And also, is there a way to identify a network (location, names, etc) from its IP address. I'd like to track this guy down to find out who he is.
Regards, Siddhesh.
Siddhesh Poyarekar sssp@softhome.net
Fortune Says:
You will get what you deserve.
Sometime Today, Siddhesh Poyarekar assembled some asciibets to say:
10.10.180.2 - - [08/Feb/2004:17:47:37 +0530] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3 %u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 271 "-" "-"
nimda - harmless, affects MS IIS.
211.161.172.142 - - [09/Feb/2004:02:09:45 +0530] "CONNECT 211.150.96.21:25 HTTP/1.1" 405 313 "-" "-"
you have an open relay - serious problem, solution below
From what I know, in Part 1, someone is trying to cause some kind of overflow with the request string and in part 2 someone is trying to access another system's SMTP port through my web server.
right
What I want to know is that is it possible to know whether the cracker was successful in his attempts and secondly, how much of a threat this is to me.
In this case the attack was from a windows worm known as WIN32.NIMDA. It affects MS IIS web servers. The only effect it will have on you is decreased performance because of increased server load (your server has to serve 404 responses). You can block the IP addresses that hit you with this, but you'll have to do this actively.
And also, is there a way to identify a network (location, names, etc) from its IP address. I'd like to track this guy down to find out who he is.
Use whois to find out the network. Then send a mail to the network admin.
For your second problem, that of the open relay, add this to your httpd.conf file:
<Location /> <LimitExcept HEAD GET POST PUT> Order deny,allow deny from all </LimitExcept> </Location>
On 09/02/04 20:57 +0530, Philip S Tellis wrote: <snip>
211.161.172.142 - - [09/Feb/2004:02:09:45 +0530] "CONNECT 211.150.96.21:25 HTTP/1.1" 405 313 "-" "-"
you have an open relay - serious problem, solution below
No. He does not have an open proxy. The HTTP error code was 405.
Devdas Bhagat
Sometime on Feb 10, Devdas Bhagat assembled some asciibets to say:
you have an open relay - serious problem, solution below
No. He does not have an open proxy. The HTTP error code was 405.
Right you are. No idea how I saw a 200 in there.