Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

how can i see what my hacker saw?

Status
Not open for further replies.
Tracey

Tracey

Programmer
Oct 16, 2000
690
0
0
NZ
Hi there

I run an Apache web server on windoze. This means of course that most wormies(ie nimbda) dont worry me too much.

However im concerned about an HHTP OK response in my logs from an obvious hack. It seems this guy from china has successfully run a dir command on my c drive:

Code: 
125.64.82.138 - - [19/Aug/2007:15:43:49 +1200] "GET /cgi-bin/..?..?..?../winnt/system32/cmd.exe?/c+dir" 200 84 "-" "-"

My question is, how do I run this command myself (not being a hacker myself) and see what he/she has gained access to???

I know this is a pretty touchy subject/question but i could trawl google for days here.....

cheers in advance

Tracey


Tracey
Remember... True happiness is not getting what you want...

Its wanting what you have got!
 
Sort by date Sort by votes
Do you have an intrusion detection system (this would help in seeing "things" that happen)? In some cases, just because they ran the command (your example looks like the "code red v2" we see all the time) doesn't mean they were able to execute the command. An IDS would help in having the full packet capture of the "conversation", and keep you from running commands on your system yourself (and possibly create more harm than good). An excellent IDS is Snort (free).

You could use something like:


to issue the commands, but would need telnet open. Not a good idea.


Has what appears to be a good product that you can try...
 
Upvote 0 Downvote
Thanks for that tfg, ive downloaded snort and I'll give that a shot for a while.

If i just pop those params at the end of my url, eg:


I am redirected to the login of my app. Is this giving me a true indication of what may have happened? It seems they were after a dir lising of c:\ or do i have it totally wrong?

Tracey
Remember... True happiness is not getting what you want...

Its wanting what you have got!
 
Upvote 0 Downvote
Well setting up snort turned out to be a nightmare that i could do without. Never mind i will just have to hold my breath...

Tracey
Remember... True happiness is not getting what you want...

Its wanting what you have got!
 
Upvote 0 Downvote
You are correct in that they are trying to see what is on the root of your c:. This normally doesn't work, unless you aren't patched. There is still cause for concern, as you now know that you are at least getting hit with traffic. It's not the stuff you see that you need to be worried about, it's the stuff you don't see.

What were some of the issues you had with Snort? Maybe we can give you a hand with any issues.....
 
Upvote 0 Downvote
well i got to the point where the error message was:

Error: snort.conf<442> => unable to open the IIS Unicode Map file './unicode.map'. Fatal Error, Quitting...

And i thought to myself "but im running apache, why do i need iis unicode map file?"

so i spent a bit of time trying to figure out what to do with Apache on Windows. This is not a common config so i dont hold much hope on finding that information.

Tracey
Remember... True happiness is not getting what you want...

Its wanting what you have got!
 
Upvote 0 Downvote
Snort really should be running on it's own machine, on a mirrored port from the switch. This will alleviate any processor issues you'll most likely see running snort on Windows (it could peg the processor with other apps running).

would help in understanding the needs in the snort.conf file.
 
Upvote 0 Downvote
Hmm. Well my hardware / network guy says it would be tough to do that as our switch is not a managed one.

Sounds like a bit of a project in itself really, i might put it on the shelf for now, add it to my network dude's todo list [bugeyed]

Thanks for your time, i may be back in the near future
[cheers]

Tracey
Remember... True happiness is not getting what you want...

Its wanting what you have got!
 
Upvote 0 Downvote
Just for the record, you can always use a hub. Since Hubs transmit data on all ports, you can plug a small 4-port hub in between your switch and server, then chain off the snort server from that.

"We can categorically state that we have not released man-eating badgers into the area" - Major Mike Shearer
 
Upvote 0 Downvote
Yeah thats where my hardware guy and I ended up going. It will have to be put on the "List" now

cheers

Tracey

Tracey
Remember... True happiness is not getting what you want...

Its wanting what you have got!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

2
  • Question
Loss of my privacy
Replies
0
Views
82
27Astrid
2
Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
148
Sameer258
Sameer258
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
126
XLNTech1
XLNTech1
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
150
Johnkite
Johnkite
GeorgeAlba
  • Locked
  • Question
What do you think about this proxy
Replies
0
Views
55
GeorgeAlba
GeorgeAlba

Part and Inventory Search

Sponsor

Back
Top