[Dshield] Weird Apache log entries

Jim Gifford maillist at jg555.com
Sat Aug 10 18:52:16 GMT 2002


Unfortunatly I have seen this before. You have same cross-linked clusters in
the File Allocation Table. From what I see I can tell you are running a
Windows product. Are you using FAT or NTFS? If you are running FAT you can
use chkdsk to see the crosslink clusters. If your are running NTFS, you need
to force a disk check and look at the output to see which files are
affected.

Now to fix the problem you will have to delete the cross-linked files and
reinstall the applications affected by this.

Let me know what version of Windows you are using, I have developed a few
procedures on fixing this at my site, It will probaly help you out.

----- Original Message -----
From: <Sixonetonoffun1 at aol.com>
To: <list at dshield.org>
Sent: Friday, August 09, 2002 6:23 PM
Subject: [Dshield] Weird Apache log entries


>
>


----------------------------------------------------------------------------
----


Hello all,
This is slightly off topic but I could sure use some
enlightenment with this.

Yesterday I was working on debugging a php postcard script.
Which crashed my server a couple times. (Not unheard of heh?)
Tonight when I was going through the logs trying to get
some clue to what was wrong I came accross some entries
I had never seen in the log before.

Now this is a dual boot win98se on C:/
F:\ has win2k sp3 Apache/Perl/Python/php/MySQL  setup.
Running as win2k at the time. Snort didn't show any out of the ordinary
rules being triggered. Nor did anything unusual show up in the ZoneAlarm
log.

So is this some tool or worm? Or just a side effect of crashing the
webserver?
I fumbled around from the command prompt and was unable to find any of these
directories/files.

This is what I found after a long bunch of jibberish I at first attributed
to my crash.
These don't even look like Apache log entries to me.

Source 0: copy D:\WINDOWS_XP_PRO_CORPORATE_FINAL\I386\netepicn.in_ to
C:\$WIN_NT$.~LS\I386\netepicn.in_ [OK]
Source 0: copy D:\WINDOWS_XP_PRO_CORPORATE_FINAL\I386\netepro.in_ to
C:\$WIN_NT$.~LS\I386\netepro.in_ [OK]
Source 0: copy D:\WINDOWS_XP_PRO_CORPORATE_FINAL\I386\netex10.in_ to
C:\$WIN_NT$.~LS\I386\netex10.in_ [OK]
Source 0: copy D:\WINDOWS_XP_PRO_CORPORATE_FINAL\I386\netf56n5.in_ to
C:\$WIN_NT$.~LS\I386\netf56n5.in_ [OK]

I posted the parts of the Apache logs here.

http://members.lycos.co.uk/mirrorz/error.txt
size  254 KB
http://members.lycos.co.uk/mirrorz/access.txt
size  211 KB

Thanks, Peter




More information about the list mailing list