[Dshield] Weird Apache log entries

Keith Smith keith.smith at keiths-place.com
Sat Aug 10 19:35:28 GMT 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Well, this brings back some memories.

The good news: This is not a virus or a new tool.
The bad news: What you have here is a classic example of cross linked files - at least the two mentioned, possibly more.

Cross linked files were relegated to the past when NTFS came in, so I'm willing to bet that your F: drive is sitting on a FAT partition.

Without giving a lecture on the nature of file systems and FAT in particular you have, in short, a corrupted disk.  The two files listed have become cross linked with another allocation chain - imagine two roads: You are driving down road A and come to a detour which puts you on road B, but there is no detour to return you to road A, so you wind up going to wherever road B takes you.  The rest of road A is there, you just can't get to it.

This why the Apache log messages start up again at the end of the file. When the system came back up, it just started appending to the file.

You need to run a file system check and delete all the cross linked files.  If the cross links have happened on deleted files then you are probably OK, if the cross links are on files that are in use elsewhere, well then you have might have a problem.

Good luck.

Regards,
Keith.


> -----Original Message-----
> From: list-admin at dshield.org [mailto:list-admin at dshield.org] 
> On Behalf Of Sixonetonoffun1 at aol.com
> Sent: Saturday, 10 August 2002 3:23 a.m.
> To: list at dshield.org
> Subject: [Dshield] Weird Apache log entries
> 
>
> Hello all,
> This is slightly off topic but I could sure use some
> enlightenment with this.
> 
> Yesterday I was working on debugging a php postcard script.
> Which crashed my server a couple times. (Not unheard of heh?)
> Tonight when I was going through the logs trying to get 
> some clue to what was wrong I came accross some entries 
> I had never seen in the log before.
> 
> Now this is a dual boot win98se on C:/
> F:\ has win2k sp3 Apache/Perl/Python/php/MySQL  setup.
> Running as win2k at the time. Snort didn't show any out of the ordinary 
> rules being triggered. Nor did anything unusual show up in the ZoneAlarm log..
> 
> So is this some tool or worm? Or just a side effect of crashing the webserver?
> I fumbled around from the command prompt and was unable to find any of these 
> directories/files.
> 
> This is what I found after a long bunch of jibberish I at first attributed to my crash.
> These don't even look like Apache log entries to me.
> 
> Source 0: copy D:\WINDOWS_XP_PRO_CORPORATE_FINAL\I386\netepicn.in_ to C:\$WIN_NT$.~LS\I386\netepicn.in_ [OK]
> Source 0: copy D:\WINDOWS_XP_PRO_CORPORATE_FINAL\I386\netepro.in_ to C:\$WIN_NT$.~LS\I386\netepro.in_ [OK]
> Source 0: copy D:\WINDOWS_XP_PRO_CORPORATE_FINAL\I386\netex10.in_ to C:\$WIN_NT$.~LS\I386\netex10.in_ [OK]
> Source 0: copy D:\WINDOWS_XP_PRO_CORPORATE_FINAL\I386\netf56n5.in_ to C:\$WIN_NT$.~LS\I386\netf56n5.in_ [OK]
> 
> I posted the parts of the Apache logs here.
> 
> http://members.lycos.co.uk/mirrorz/error.txt
> size  254 KB
> http://members.lycos.co.uk/mirrorz/access.txt
> size  211 KB
> 
> Thanks, Peter
>  

-----BEGIN PGP SIGNATURE-----
Version: 6.5.8ckt

iQA/AwUBPVVc8L0tREWslyrAEQJGzACg/Y5Kmko7n2JMKAI9ccvt2JKySX8AoPyU
YRrDoNldiKygsV1YXWKJ7Emr
=XR5H
-----END PGP SIGNATURE-----





More information about the list mailing list