View previous topic :: View next topic |
Author |
Message |
stitch -
Joined: 09 Nov 2003 Posts: 49 Location: washington state
|
Posted: Tue Nov 18, 2003 5:19 pm Post subject: Worms n Hacks |
|
|
This is an example of the code I was finding in my log files every couple of hours.
Code: | 4.65.237.131 - - [17/Nov/2003:15:08:26 -0800] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 266 "" ""
4.65.237.131 - - [17/Nov/2003:15:08:26 -0800] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 266 "" ""
4.65.237.131 - - [17/Nov/2003:15:08:27 -0800] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 266 "" ""
4.65.237.131 - - [17/Nov/2003:15:08:27 -0800] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 266 "" ""
4.65.237.131 - - [17/Nov/2003:15:08:27 -0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 268 "" ""
4.65.237.131 - - [17/Nov/2003:15:08:27 -0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 268 "" ""
4.65.237.131 - - [17/Nov/2003:15:08:27 -0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 268 "" ""
4.65.237.131 - - [17/Nov/2003:15:08:28 -0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 268 "" ""
4.65.237.131 - - [17/Nov/2003:15:08:28 -0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 266 "" "" |
Configuring the Kerio firewall to ban the IP it was coming from worked perfectly... even though I get the alert that they keep trying, it doesnt show on my log files any more. But I am wondering... is this coming from the infected computer of someone who doesn't know they have a worm... or is it somebody intentionally trying to mess with me?
Should I be doing something about it besides making sure my own machine is protected? ...or just not worry about it?
If it were my machine that was infected and causing other people problems I think I would want to know about it... :?: |
|
Back to top |
|
|
Anonymoose -
Joined: 09 Sep 2003 Posts: 2192
|
Posted: Tue Nov 18, 2003 6:02 pm Post subject: |
|
|
Looks like you're being repeatedly scanned by a worm infected IIS server, particularly if the pattern is occuring regularly. If it was one off attempts of strange strings then I'd be more inclined to think it was someone trying to hack the server.
From experience, it's hardly worth your time to bother trying to report it - most ISPs will just ignore you and most home users who've managed to get infected won't know how to fix it.
It might be worth mailing their ISPs abuse dept, but that's about it. Once you know the Kerio rule is working, you could turn off the alert box and merrily ignore them :) |
|
Back to top |
|
|
stitch -
Joined: 09 Nov 2003 Posts: 49 Location: washington state
|
Posted: Wed Nov 19, 2003 4:59 am Post subject: |
|
|
one more... whats this mean? I get a lot of these...
Code: | "GET /favicon.ico HTTP/1.1" 404 266 " |
|
|
Back to top |
|
|
Axis -
Joined: 29 Sep 2003 Posts: 336
|
Posted: Wed Nov 19, 2003 5:16 am Post subject: |
|
|
Hi Stitch--
One your last question, this means someone has added you to their "favorites" or "bookmarks". Getting the "404" doesn't mean they didn't add you to their favorites. It means you don't have a "favicon.ico" (a little file like the MS Butterfly) to add to their favorites.
Regards,
Axis |
|
Back to top |
|
|
stitch -
Joined: 09 Nov 2003 Posts: 49 Location: washington state
|
Posted: Wed Nov 19, 2003 5:48 am Post subject: |
|
|
....hmmm then maybe I need to make one! Thanks for the reply! |
|
Back to top |
|
|
Axis -
Joined: 29 Sep 2003 Posts: 336
|
Posted: Wed Nov 19, 2003 3:57 pm Post subject: |
|
|
Hi again Stitch--
There is actually a "favicon.ico" in the chl folder you can copy over into your web root and use if you want to.
That is what I am doing anyway.
Good luck
Axis |
|
Back to top |
|
|
Anonymoose -
Joined: 09 Sep 2003 Posts: 2192
|
Posted: Wed Nov 19, 2003 4:15 pm Post subject: |
|
|
I was under the impression that Mozilla/Netscape/Firebird etc all request favicon.ico by default when they first visit the site even if you weren't being bookmarked ? |
|
Back to top |
|
|
Axis -
Joined: 29 Sep 2003 Posts: 336
|
Posted: Wed Nov 19, 2003 5:42 pm Post subject: |
|
|
Hi Anonymoose--
You might be right. I understand, though, that favicon.ico is short for 'Favorites Icon'.
On one of my sites I have an error handler that records the favicon.ico 404 error and it doesn't *look* like I am getting it from every Mozilla/Netscape/Firebird browser. It looks like only those who are adding my site to their favorites.
???
Regards,
Axis |
|
Back to top |
|
|
Anonymoose -
Joined: 09 Sep 2003 Posts: 2192
|
Posted: Wed Nov 19, 2003 6:22 pm Post subject: |
|
|
Just got home and tested this with what I already had installed - the current versions of Opera and Firebird definitely show favicon.ico in the URL bar if it's available whether you bookmark or not, I can't say for earlier versions but I'm assuming it was introduced recently, so older browsers wouldn't make this request. |
|
Back to top |
|
|
stitch -
Joined: 09 Nov 2003 Posts: 49 Location: washington state
|
Posted: Thu Nov 20, 2003 3:53 am Post subject: |
|
|
I found the abyss favicon, thanks... but I went ahead and made my own spiffy li'l icon (16x16) put it in htdocs and then added:
Code: | <link rel="shortcut icon" href="http://www.mysite.com/favicon.ico" type="image/x-icon" > | to the <head></head>
...neato!
Last edited by stitch on Thu Nov 20, 2003 6:17 am; edited 1 time in total |
|
Back to top |
|
|
stitch -
Joined: 09 Nov 2003 Posts: 49 Location: washington state
|
Posted: Thu Nov 20, 2003 5:06 am Post subject: |
|
|
sooo, here's one more...
Code: | 68.47.109.245 - - [19/Nov/2003:15:18:58 -0800] "GET / HTTP/1.1" 200 1192 "http://www.aprelium.com/forum/viewtopic.php?t=2766" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)"
68.47.109.245 - - [19/Nov/2003:15:19:38 -0800] "GET /cgi-bin HTTP/1.1" 302 98 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)"
68.47.109.245 - - [19/Nov/2003:15:19:38 -0800] "GET /cgi-bin/ HTTP/1.1" 403 266 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)" |
now whats this? why would someone ask to see /cgi-bin?
*won't mention any names... |
|
Back to top |
|
|
aprelium -
Joined: 22 Mar 2002 Posts: 6800
|
Posted: Fri Nov 21, 2003 2:02 am Post subject: |
|
|
stitch,
What's wrong with the second set of requests you received. It was just some one who browsed your web site using URL http://yourip/cgi-bin . _________________ Support Team
Aprelium - http://www.aprelium.com |
|
Back to top |
|
|
stitch -
Joined: 09 Nov 2003 Posts: 49 Location: washington state
|
Posted: Fri Nov 21, 2003 3:27 am Post subject: |
|
|
what Im asking is... why does one browse a site asking to see /cgi-bin ? |
|
Back to top |
|
|
Axis -
Joined: 29 Sep 2003 Posts: 336
|
Posted: Fri Nov 21, 2003 4:59 am Post subject: |
|
|
Hi again Stitch--
Well, people do do that, as you are seeing. Many are looking for vulnerabilites in your set-up. If you are leaving the setting "Automatic Directories Indexing" to "yes" then people will be able to see the directory structure and scripts, folders, etc. Sometimes thats a vulnerabiltiy.
I have mine set to "yes", but in my cgi-bin I have placed index.html's in the cgi-bin and in the subfolders that don't already have them just to keep prying eyes away from things they don't need to see.
As in, http://sixa.no-ip.info/cgi-bin/
Hope that helps.
Axis |
|
Back to top |
|
|
stitch -
Joined: 09 Nov 2003 Posts: 49 Location: washington state
|
Posted: Fri Nov 21, 2003 5:18 am Post subject: |
|
|
okay... well, thanks anyways... and stay outta mah -bin, fella!
Last edited by stitch on Sun Nov 23, 2003 8:44 pm; edited 1 time in total |
|
Back to top |
|
|
TRUSTAbyss -
Joined: 29 Oct 2003 Posts: 3752 Location: USA, GA
|
Posted: Fri Nov 21, 2003 5:38 am Post subject: |
|
|
what script stuff ? |
|
Back to top |
|
|
|