[Dshield] Server

Glenn Jarvis gaj at uppergroove.ca
Fri Aug 19 12:44:29 GMT 2005


Stephane Grobety responded.......

>Awstats is known to have several remotely exploitable vunerability and
>it's a popular entry door into systems. I see such a scan twice a day
>on web-serving machines.
>
>I can't tell you if your machine really has been compromized from what
>your saying: how are these folders being "accessed" ? What are you
>looking at ? HTTP logs ? If so, check the return code: if it's 403 or
>404, you should be fine. If it's 200, 50x or similar then you're
>probably owned.
>
I found some lines that I can show ... at first, I saw these...

12.44.172.92 - - [06/Aug/2005:21:51:34 -0400] "GET /downloads/?M=A HTTP/1.0" 200 4205 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
63.160.77.236 - - [06/Aug/2005:21:51:43 -0400] "GET /downloads/?S=A HTTP/1.0" 200 4205 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
12.44.172.92 - - [06/Aug/2005:21:51:56 -0400] "GET /downloads/?D=A HTTP/1.0" 200 4205 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"

Accessing that directory is fine, but the /?M=A    , I have no idea what 
that is... however, then you eventually see lines where they have 
downloaded every demo edition
of our products. I know, so what... I found a pattern.....

12.44.172.92 - - [06/Aug/2005:21:57:34 -0400] "GET /downloads/?N=A HTTP/1.0" 200 4205 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
12.44.181.220 - - [06/Aug/2005:21:57:53 -0400] "GET /downloads/?M=D HTTP/1.0" 200 4205 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
12.44.172.92 - - [06/Aug/2005:21:58:03 -0400] "GET /downloads/?S=D HTTP/1.0" 200 4205 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
63.160.77.236 - - [06/Aug/2005:21:58:17 -0400] "GET /downloads/?D=D HTTP/1.0" 200 4205 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
12.44.172.92 - - [06/Aug/2005:21:58:35 -0400] "GET /icons/ HTTP/1.0" 200 18548 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
12.44.181.220 - - [06/Aug/2005:21:58:51 -0400] "GET /icons HTTP/1.0" 404 1874 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
12.44.181.220 - - [06/Aug/2005:21:59:05 -0400] "GET /downloads?N=D HTTP/1.0" 301 319 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
12.44.172.92 - - [06/Aug/2005:21:59:23 -0400] "GET /icons/?N=D HTTP/1.0" 200 18548 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
12.44.181.220 - - [06/Aug/2005:21:59:41 -0400] "GET /icons/?M=A HTTP/1.0" 200 18548 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
63.160.77.236 - - [06/Aug/2005:21:59:56 -0400] "GET /icons/?S=A HTTP/1.0" 200 18548 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
12.44.172.92 - - [06/Aug/2005:22:00:13 -0400] "GET /icons/?D=A HTTP/1.0" 200 18548 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
12.44.181.220 - - [06/Aug/2005:22:00:29 -0400] "GET /icons/image2.gif HTTP/1.0" 200 309 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
63.160.77.236 - - [06/Aug/2005:22:00:39 -0400] "GET /icons/a.gif HTTP/1.0" 200 246 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
12.44.172.92 - - [06/Aug/2005:22:00:55 -0400] "GET /icons/a.png HTTP/1.0" 200 293 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
12.44.181.220 - - [06/Aug/2005:22:01:10 -0400] "GET /icons/alert.black.gif HTTP/1.0" 200 242 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
12.44.172.92 - - [06/Aug/2005:22:01:28 -0400] "GET /icons/alert.black.png HTTP/1.0" 200 279 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
12.44.181.220 - - [06/Aug/2005:22:01:43 -0400] "GET /icons/alert.red.gif HTTP/1.0" 200 247 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
63.160.77.236 - - [06/Aug/2005:22:01:53 -0400] "GET /icons/alert.red.png HTTP/1.0" 200 298 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
12.44.172.92 - - [06/Aug/2005:22:02:05 -0400] "GET /icons/apache_pb.gif HTTP/1.0" 200 2326 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
63.160.77.236 - - [06/Aug/2005:22:02:16 -0400] "GET /icons/apache_pb.png HTTP/1.0" 200 1385 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
63.160.77.236 - - [06/Aug/2005:22:02:25 -0400] "GET /icons/back.png HTTP/1.0" 200 284 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
63.160.77.236 - - [06/Aug/2005:22:02:36 -0400] "GET /icons/ball.gray.gif HTTP/1.0" 200 233 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
63.160.77.236 - - [06/Aug/2005:22:02:45 -0400] "GET /icons/ball.gray.png HTTP/1.0" 200 277 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
12.44.172.92 - - [06/Aug/2005:22:03:04 -0400] "GET /icons/ball.red.gif HTTP/1.0" 200 205 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
12.44.172.92 - - [06/Aug/2005:22:03:26 -0400] "GET /icons/ball.red.png HTTP/1.0" 200 265 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
12.44.181.220 - - [06/Aug/2005:22:03:41 -0400] "GET /icons/binary.png HTTP/1.0" 200 296 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
12.44.172.92 - - [06/Aug/2005:22:03:55 -0400] "GET /icons/binhex.gif HTTP/1.0" 200 246 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
63.160.77.236 - - [06/Aug/2005:22:04:07 -0400] "GET /icons/binhex.png HTTP/1.0" 200 304 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
63.160.77.236 - - [06/Aug/2005:22:04:18 -0400] "GET /icons/blank.png HTTP/1.0" 200 195 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"

They download all the icons from the awstats directory, I just didn't include all the lines...however, then as you see below, the get even deeper into the directory tree


12.44.172.92 - - [06/Aug/2005:22:36:20 -0400] "GET /icons/?N=A HTTP/1.0" 200 18548 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
63.160.77.236 - - [06/Aug/2005:22:36:36 -0400] "GET /icons/?M=D HTTP/1.0" 200 18548 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
12.44.181.220 - - [06/Aug/2005:22:36:55 -0400] "GET /icons/?S=D HTTP/1.0" 200 18548 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
12.44.172.92 - - [06/Aug/2005:22:37:14 -0400] "GET /icons/?D=D HTTP/1.0" 200 18548 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
63.160.77.236 - - [06/Aug/2005:22:37:29 -0400] "GET /icons/small/?N=D HTTP/1.0" 200 8072 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
63.160.77.236 - - [06/Aug/2005:22:37:45 -0400] "GET /icons/small/?M=A HTTP/1.0" 200 8072 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
12.44.181.220 - - [06/Aug/2005:22:38:01 -0400] "GET /icons/small/?S=A HTTP/1.0" 200 8072 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
12.44.181.220 - - [06/Aug/2005:22:38:19 -0400] "GET /icons/small/?D=A HTTP/1.0" 200 8072 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
12.44.172.92 - - [06/Aug/2005:22:38:40 -0400] "GET /icons/small/back.gif HTTP/1.0" 200 129 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"


If that wasn't bad enough, they get into the main directory and download 
the entire site.

12.44.181.220 - - [06/Aug/2005:22:54:25 -0400] "GET /?N=D HTTP/1.0" 200 17446 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
12.44.172.92 - - [06/Aug/2005:22:54:47 -0400] "GET /icons/small HTTP/1.0" 301 317 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
63.160.77.236 - - [06/Aug/2005:22:55:01 -0400] "GET /sitelogo.jpg HTTP/1.0" 200 14225 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
63.160.77.236 - - [06/Aug/2005:22:55:14 -0400] "GET /menutop.jpg HTTP/1.0" 200 7409 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
12.44.181.220 - - [06/Aug/2005:22:55:32 -0400] "GET /index.html HTTP/1.0" 200 17446 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
63.160.77.236 - - [06/Aug/2005:22:55:50 -0400] "GET /mainpage.jpg HTTP/1.0" 200 2809 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
63.160.77.236 - - [06/Aug/2005:22:56:03 -0400] "GET /about.htm HTTP/1.0" 200 8711 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
12.44.172.92 - - [06/Aug/2005:22:56:23 -0400] "GET /aboutus.jpg HTTP/1.0" 200 2718 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
12.44.172.92 - - [06/Aug/2005:22:56:37 -0400] "GET /downloads.htm HTTP/1.0" 200 15851 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
12.44.181.220 - - [06/Aug/2005:22:57:01 -0400] "GET /downloads.jpg HTTP/1.0" 200 2912 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
63.160.77.236 - - [06/Aug/2005:22:57:15 -0400] "GET /storefront.htm HTTP/1.0" 200 18141 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
63.160.77.236 - - [06/Aug/2005:22:57:31 -0400] "GET /ourstore.jpg HTTP/1.0" 200 2776 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
63.160.77.236 - - [06/Aug/2005:22:57:51 -0400] "GET /support.htm HTTP/1.0" 200 15878 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
12.44.181.220 - - [06/Aug/2005:22:58:07 -0400] "GET /support.jpg HTTP/1.0" 200 2631 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
70.111.204.67 - - [06/Aug/2005:22:58:18 -0400] "GET /logo.gif HTTP/1.1" 200 1717 "http://www.gamealbum.com/Games/Arcade/index4.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
63.160.77.236 - - [06/Aug/2005:22:58:23 -0400] "GET /links.htm HTTP/1.0" 200 17536 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
12.44.172.92 - - [06/Aug/2005:22:58:44 -0400] "GET /links.jpg HTTP/1.0" 200 2279 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
63.160.77.236 - - [06/Aug/2005:22:59:05 -0400] "GET /suggestedproducts.htm HTTP/1.0" 200 26069 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
12.44.181.220 - - [06/Aug/2005:22:59:29 -0400] "GET /other.jpg HTTP/1.0" 200 2973 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
12.44.172.92 - - [06/Aug/2005:22:59:54 -0400] "GET /contact.jpg HTTP/1.0" 200 2873 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
12.44.172.92 - - [06/Aug/2005:23:00:07 -0400] "GET /menubottom.gif HTTP/1.0" 200 2150 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"

Then into the images directory (it's normal for download sites,etc to 
access this directory, but not like this....)

12.44.172.92 - - [06/Aug/2005:23:02:01 -0400] "GET /images/freebus2buy.gif HTTP/1.0" 200 1503 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"

12.44.181.220 - - [06/Aug/2005:23:32:36 -0400] "GET /images/?M=A HTTP/1.0" 200 17077 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
63.160.77.236 - - [06/Aug/2005:23:32:54 -0400] "GET /images/?S=A HTTP/1.0" 200 17077 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
63.160.77.236 - - [06/Aug/2005:23:33:13 -0400] "GET /images/?D=A HTTP/1.0" 200 17077 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
12.44.181.220 - - [06/Aug/2005:23:33:34 -0400] "GET /images/120x240_money_anim.gif HTTP/1.0" 200 14226 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
12.44.172.92 - - [06/Aug/2005:23:33:46 -0400] "GET /images/120x60_money_anim.gif HTTP/1.0" 200 13542 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
63.160.77.236 - - [06/Aug/2005:23:33:56 -0400] "GET /images/30_day_money_back_sm.jpg HTTP/1.0" 200 3795 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
63.160.77.236 - - [06/Aug/2005:23:34:07 -0400] "GET /images/30day.jpg HTTP/1.0" 200 5619 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
12.44.181.220 - - [06/Aug/2005:23:34:32 -0400] "GET /images/480x60_money_anim_top.gif HTTP/1.0" 200 14226 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
12.44.172.92 - - [06/Aug/2005:23:34:44 -0400] "GET /images/AmEx.gif HTTP/1.0" 200 1648 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
63.160.77.236 - - [06/Aug/2005:23:34:56 -0400] "GET /images/Download.gif HTTP/1.0" 200 5985 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
12.44.181.220 - - [06/Aug/2005:23:35:09 -0400] "GET /images/Thumbs.db HTTP/1.0" 200 3072 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"


How do I know the part above isn't normal? Because some of the images are not actually used on the site anymore.
Now, I don't think I'm being paranoid, but I have a feeling someone literally got into the server, unauthorized. I use a hosting
company, but before I contact them, I wanted to absolutely sure about what I'm looking at and my conclusions.

Glenn

---

Confidentiality Notice:  This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.



More information about the list mailing list