Re: strange logs

[flurdoing <flur () flurnet org>]

I believe the log you posted illustrates attempts to exploit a buffer
overflow exploit in Core MS Windows DLL (CA-2003-09). It is likely a
worm operating without the knowledge of the user behind the IP in
question. You can probably alert them over the Kazaa Network ;)

The bug does not effect Apache, only IIS, thus you should not be too
alarmed. However, be advised that I'm only making educated guesses as
you did not include the actual page request that the user made. Based on
your 'grep' i'm assuming that it is an ugly 32,000 char long request
starting with "SEARCH /\x90\x02" etc. 

As for the two IPs belonging to the same person, one must ask whether
the segment is generally statically or dynamically assigned by the ISP.
Also it'd be a good idea to frame your logs with timestamps such that
you can determine whether or not an IP change in the event of a dynamic
IP is feasible.

Hope that helped,
flurdoing.

On Thu, 2004-07-08 at 19:18, jpc wrote:
> Has anyone seen this error (see below)in the apache log.
> It appears someone is trying to mess with my server.
> Notice how the ip changes from 69.209.152.51 to 69.192.139.207--this may be two
> different people I guess.
> The first ip is using the same provider as I am. My IP was 69.209.152.xxx at
> the time.
> This has been happening since the 4th.
> Any ideas? I googled the error message and couldn't find much.
>
> Here is some info on the ip's
>
> nmap 69.209.152.51
>
> Starting nmap 3.45 ( http://www.insecure.org/nmap/ )
> at 2004-07-08 15:54 EDT
> Interesting ports on adsl-69-209-152-51.dsl.sfldmi.ameritech.net
> (69.209.152.51):
> (The 1650 ports scanned but not shown below are in state: closed)
> PORT     STATE    SERVICE
> 113/tcp  open     auth
> 135/tcp  filtered msrpc
> 139/tcp  filtered netbios-ssn
> 445/tcp  filtered microsoft-ds
> 559/tcp  open     teedtap
> 1025/tcp filtered NFS-or-IIS
> 5000/tcp open     UPnP
>
>
> nmap 69.192.139.207
>
> Starting nmap 3.45 ( http://www.insecure.org/nmap/ )
> at 2004-07-08 16:04 EDT
> Interesting ports on CPE001095ca02cb-CM0010954a02cb.cpe.net.cable.rogers.com
> (69.192.139.207):
> (The 1642 ports scanned but not shown below are in state: closed)
> PORT     STATE    SERVICE
> 80/tcp   open     http
> 113/tcp  open     auth
> 135/tcp  filtered msrpc
> 137/tcp  filtered netbios-ns
> 138/tcp  filtered netbios-dgm
> 139/tcp  filtered netbios-ssn
> 445/tcp  filtered microsoft-ds
> 641/tcp  open     unknown
> 665/tcp  open     unknown
> 1025/tcp open     NFS-or-IIS
> 1080/tcp filtered socks
> 1214/tcp open     fasttrack
> 1434/tcp filtered ms-sql-m
> 3531/tcp open     peerenabler
> 5000/tcp open     UPnP
>
>
> I went to the site 69.192.139.207 with my browser and a blank page appeared.
> There seems to be a web server running on it. So I tried this...
>
> telnet 69.192.139.207 80
> Trying 69.192.139.207...
> Connected to 69.192.139.207.
> Escape character is '^]'.
> GET index.htm
> HTTP/1.0 501 Not Implemented
> X-Kazaa-Username: Babie_Gurl
> X-Kazaa-Network: KaZaA
> X-Kazaa-IP: 69.192.139.207:2692
> X-Kazaa-SupernodeIP: 69.70.73.172:2215
>
> Who the hell is Babie_Gurl??? :)
>
>
>
>
>
>
>
> root@www:/var/log/apache# tail -f  error_log | grep -v 'x90'
>
> [Thu Jul  8 15:19:36 2004] [error] [client 69.209.152.51] request failed: URI
> too long
> [Thu Jul  8 15:22:44 2004] [error] [client 69.209.152.51] request failed: URI
> too long
> [Thu Jul  8 15:30:55 2004] [error] [client 69.209.152.51] request failed: URI
> too long
> [Thu Jul  8 15:33:39 2004] [error] [client 69.209.152.51] request failed: URI
> too long
> [Thu Jul  8 15:37:05 2004] [error] [client 69.209.152.51] request failed: URI
> too long
> [Thu Jul  8 15:41:01 2004] [error] [client 69.209.152.51] request failed: URI
> too long
> [Thu Jul  8 15:41:26 2004] [error] [client 69.209.152.51] request failed: URI
> too long
> [Thu Jul  8 15:43:17 2004] [error] [client 69.209.152.51] request failed: URI
> too long
> [Thu Jul  8 15:47:41 2004] [error] [client 69.192.139.207] request failed: URI
> too long
> [Thu Jul  8 15:49:56 2004] [error] [client 69.209.152.51] request failed: URI
> too long
> [Thu Jul  8 15:53:34 2004] [error] [client 69.209.152.51] request failed: URI
> too long
> [Thu Jul  8 15:54:02 2004] [error] [client 69.209.152.51] request failed: URI
> too long
>
> root@www:/var/log/apache# tail -f  error_log | grep -v 'x90'
> [Thu Jul  8 15:30:55 2004] [error] [client 69.209.152.51] request failed: URI
> too long
> [Thu Jul  8 15:33:39 2004] [error] [client 69.209.152.51] request failed: URI
> too long
> [Thu Jul  8 15:37:05 2004] [error] [client 69.209.152.51] request failed: URI
> too long
> [Thu Jul  8 15:41:01 2004] [error] [client 69.209.152.51] request failed: URI
> too long
> [Thu Jul  8 15:41:26 2004] [error] [client 69.209.152.51] request failed: URI
> too long
> [Thu Jul  8 15:43:17 2004] [error] [client 69.209.152.51] request failed: URI
> too long
> [Thu Jul  8 15:47:41 2004] [error] [client 69.192.139.207] request failed: URI
> too long
> [Thu Jul  8 15:49:56 2004] [error] [client 69.209.152.51] request failed: URI
> too long
> [Thu Jul  8 15:53:34 2004] [error] [client 69.209.152.51] request failed: URI
> too long
> [Thu Jul  8 15:54:02 2004] [error] [client 69.209.152.51] request failed: URI
> too long
> [Thu Jul  8 15:58:41 2004] [error] [client 69.209.152.51] request failed: URI
> too long
> [Thu Jul  8 15:58:53 2004] [error] [client 69.209.152.51] request failed: URI
> too long
>
>
> ---------------------------------------------------------------------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
> any course! All of our class sizes are guaranteed to be 10 students or less 
> to facilitate one-on-one interaction with one of our expert instructors. 
> Attend a course taught by an expert instructor with years of in-the-field 
> pen testing experience in our state of the art hacking lab. Master the skills 
> of an Ethical Hacker to better assess the security of your organization. 
> Visit us at: 
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ----------------------------------------------------------------------------


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------