x90\x90\

R

ret

Verified User
Joined
Jun 22, 2004
Messages
20
my access log contains x90\x90\

whats that again? Log file full? Or attemtps to being hacked?

2.3M access_log
2.9M access_log.1
34M access_log.2
39M access_log.3
55M access_log.4
 
Just x90\x90\ on a line of it's own?

Can you please show us an example in context?

Thanks.

Jeff
 
Code: 
81.241.202.87 - - [29/Jun/2004:21:34:51 +0200] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 - "-" "-"
81.241.202.87 - - [29/Jun/2004:21:34:53 +0200] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 - "-" "-"
81.241.202.87 - - [29/Jun/2004:21:34:55 +0200] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
81.241.202.87 - - [29/Jun/2004:21:34:56 +0200] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
81.241.202.87 - - [29/Jun/2004:21:34:58 +0200] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
81.241.202.87 - - [29/Jun/2004:21:34:59 +0200] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
81.241.202.87 - - [29/Jun/2004:21:35:03 +0200] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
81.241.202.87 - - [29/Jun/2004:21:35:04 +0200] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"


trying to find windwos exploits or so?
this is my log file filled with
Code: 
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 414 271 "-" "-"
61.220.98.26 - - [30/Jun/2004:20:27:00 +0200] "GET /sumthin HTTP/1.0" 404 - "-" "-"
82.49.98.55 - - [01/Jul/2004:07:13:36 +0200] "CONNECT 207.46.133.140:21 HTTP/1.0" 403 - "-" "-"
80.109.27.118 - - [01/Jul/2004:09:43:10 +0200] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 - "-" "-"
 
It looks as if they may be attempted windows exploits.

But I'm not sure.

Jeff
 
81.23xxxx - - [29/Jun/2004:15:32:18 +0200] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\
 
They are looking for buffer overflows, if you noticed that request is over 32k. I have been getting a bunch of these too lately.
 
I have the same logs.

Do you have an idea as how we could not log these ?
 
got this from another forum:

Code: 
<IfModule mod_rewrite.c>
RedirectMatch permanent (.*)cmd.exe(.*)$ [url]http://www.microsoft.com[/url]
RedirectMatch permanent (.*)root.exe(.*)$ [url]http://www.microsoft.com[/url]
RedirectMatch permanent (.*)\/_vti_bin\/(.*)$ [url]http://www.microsoft.com[/url]
RedirectMatch permanent (.*)\/scripts\/\.\.(.*)$ [url]http://www.microsoft.com[/url]
RedirectMatch permanent (.*)\/_mem_bin\/(.*)$ [url]http://www.microsoft.com[/url]
RedirectMatch permanent (.*)\/msadc\/(.*)$ [url]http://www.microsoft.com[/url]
RedirectMatch permanent (.*)\/MSADC\/(.*)$ [url]http://www.microsoft.com[/url]
RedirectMatch permanent (.*)\/c\/winnt\/(.*)$ [url]http://www.microsoft.com[/url]
RedirectMatch permanent (.*)\/d\/winnt\/(.*)$ [url]http://www.microsoft.com[/url]
RedirectMatch permanent (.*)\/x90\/(.*)$ [url]http://www.microsoft.com[/url]
</IfModule>

maybe this is a good solution? redirect requests?
 
Put that in httpd.conf and it works fine.

It still won't prevent log accumulation.
 
ret said:
got this from another forum:

Code: 
<IfModule mod_rewrite.c>
RedirectMatch permanent (.*)cmd.exe(.*)$ [url]http://www.microsoft.com[/url]
RedirectMatch permanent (.*)root.exe(.*)$ [url]http://www.microsoft.com[/url]
RedirectMatch permanent (.*)\/_vti_bin\/(.*)$ [url]http://www.microsoft.com[/url]
RedirectMatch permanent (.*)\/scripts\/\.\.(.*)$ [url]http://www.microsoft.com[/url]
RedirectMatch permanent (.*)\/_mem_bin\/(.*)$ [url]http://www.microsoft.com[/url]
RedirectMatch permanent (.*)\/msadc\/(.*)$ [url]http://www.microsoft.com[/url]
RedirectMatch permanent (.*)\/MSADC\/(.*)$ [url]http://www.microsoft.com[/url]
RedirectMatch permanent (.*)\/c\/winnt\/(.*)$ [url]http://www.microsoft.com[/url]
RedirectMatch permanent (.*)\/d\/winnt\/(.*)$ [url]http://www.microsoft.com[/url]
RedirectMatch permanent (.*)\/x90\/(.*)$ [url]http://www.microsoft.com[/url]
</IfModule>

maybe this is a good solution? redirect requests?
Click to expand...


Haha.. too funny. :)

John
 
DirectAdmin Support said:
Haha.. too funny. :)
Click to expand...
I wonder how many people the humor is lost on.

For anyone who can't figure it out, what that does is whenever someone tries a IIS-based vulnerability attack on your server it gets redirected tothe Microsoft website.

As kriak pointed out, it won't help your logs any, and it does impact Microsoft to some minor extent.Under US law and under Washington law, redirecting to Microsoft could be illegal, and might even be a criminal act.

Jeff
 
You could try:
<IfModule mod_rewrite.c>
RedirectMatch permanent (.*)cmd.exe(.*)$ http://127.0.0.1
RedirectMatch permanent (.*)root.exe(.*)$ http://127.0.0.1
RedirectMatch permanent (.*)\/_vti_bin\/(.*)$ http://127.0.0.1
RedirectMatch permanent (.*)\/scripts\/\.\.(.*)$ http://127.0.0.1
RedirectMatch permanent (.*)\/_mem_bin\/(.*)$ http://127.0.0.1
RedirectMatch permanent (.*)\/msadc\/(.*)$ http://127.0.0.1
RedirectMatch permanent (.*)\/MSADC\/(.*)$ http://127.0.0.1
RedirectMatch permanent (.*)\/c\/winnt\/(.*)$ http://127.0.0.1
RedirectMatch permanent (.*)\/d\/winnt\/(.*)$ http://127.0.0.1
RedirectMatch permanent (.*)\/x90\/(.*)$ http://127.0.0.1
</IfModule>
 
I like the 127.0.0.1 as a solution. With a little luck, it would slow the attacker!

By attacker, I would'nt come to the conclusion of a delibarate hacker attempt : it may also be some kind of worm trying to spread using a known exploit on Win based systems as we see much too often see theses lasts months. That's why I would'nt be too prompt on blocking an IP range solely based on theses logs.
 
is this a similar windows exploit?
81.23.206.226 - - [08/Jul/2004:12:29:40 +0200] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 - "-" "-"
 
toml said:
You could try:
<IfModule mod_rewrite.c>
RedirectMatch permanent (.*)cmd.exe(.*)$ http://127.0.0.1
RedirectMatch permanent (.*)root.exe(.*)$ http://127.0.0.1
RedirectMatch permanent (.*)\/_vti_bin\/(.*)$ http://127.0.0.1
RedirectMatch permanent (.*)\/scripts\/\.\.(.*)$ http://127.0.0.1
RedirectMatch permanent (.*)\/_mem_bin\/(.*)$ http://127.0.0.1
RedirectMatch permanent (.*)\/msadc\/(.*)$ http://127.0.0.1
RedirectMatch permanent (.*)\/MSADC\/(.*)$ http://127.0.0.1
RedirectMatch permanent (.*)\/c\/winnt\/(.*)$ http://127.0.0.1
RedirectMatch permanent (.*)\/d\/winnt\/(.*)$ http://127.0.0.1
RedirectMatch permanent (.*)\/x90\/(.*)$ http://127.0.0.1
</IfModule>
Click to expand...

and where would i add this?
 
sander815 said:
is this a similar windows exploit?
81.23.206.226 - - [08/Jul/2004:12:29:40 +0200] "GET /default.ida?... HTTP/1.0" 404 - "-" "-"
Click to expand...

It surely is the same kind of exploit (buffer overflow).
 
You must log in or register to reply here.
Back
Top