Whats going on. Is someone trying to breakin?

[MaxIP]

I'v just checked my access_logs and there is a list of strange entries.
I'm running apache on solaris.

- - [15/Apr/2002:15:16:23 +0100] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 284
- - [15/Apr/2002:15:16:23 +0100] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 282
- - [15/Apr/2002:15:16:23 +0100] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292
- - [15/Apr/2002:15:16:23 +0100] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292
- - [15/Apr/2002:15:16:23 +0100] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306
- - [15/Apr/2002:15:16:24 +0100] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 323
- - [15/Apr/2002:15:16:24 +0100] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 323
- - [15/Apr/2002:15:16:24 +0100] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 339
- - [15/Apr/2002:15:16:24 +0100] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
- - [15/Apr/2002:15:16:24 +0100] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
- - [15/Apr/2002:15:16:24 +0100] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
- - [15/Apr/2002:15:16:24 +0100] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
- - [15/Apr/2002:15:16:24 +0100] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 289
- - [15/Apr/2002:15:16:24 +0100] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 289

 

[iTST]

There's someone (or something) trying to enter/hack your site.
I bet it's an automated tool thats dump enough not to recognize your site is running solaris

BTW, don't you log IP's or have you just cut them for the post? cu, Sascha

http://www.itst.org/

 

[iSeriesCodePoet]

Isn't that code red? Mike Wills
AS400 Programmer


Please, if you find my post useful, let me know.

 

[bcmb]

Yeah, that is one of two things. Code Red scan or and/or Nimda scans. Our logs are full of that stuff. It is simply automated scans looking for IIS holes in your Apache... Nothing to worry about unless you have a small pipe.

B

 

[MaxIP]

Thanks for replying.
I do have the IP address of the fool.

What can I do with the IP address in order to track down the dumbass.
Or maybe give it/him/her/thing a taste of the own medicine.

Any ideas....

 

[iTST]

Well, perhaps he/she isnt aware of whats going on. Besides, if he/she is online via dail-up, the IP is nothing worth.

You could try to figure you the ISP of your "hacker" and inform them about that. cu, Sascha

http://www.itst.org/

 

[garwain]

I too have been receiving those entries in my error log. I've traced down 3 out of 50 IP addresses that have been hitting my system and in 2 days have had 1 admin reply to my email saying that it was one of their customers machines so they could do nothing. I sent back a message telling him he could at least inform the customer that their machine had been infected. within seconds I had a reply saying he couldn't do that (my opinion is wouldn't since it's a cable provider).

Basically all you can do is try to trace the person down and inform them (usually you'll only be able to trace to their provider) and alert them of the problem. Then the ball is in their court so forget about it unless it's causing bandwidth problems (since I'm running apache on linux I couldn't care less. Just set up a script that will delete that from my log files ever night to save disk space)

 

[Newposter]

I've had over 200 legitimate hacker attacks in 4 months. I have reported all of them to their ISP, and only twice have they been identified, according to the replies. Probably the IP that I read in my firewall log is a relay point. So I block IP ranges or domain names in the firewall and forget about them. Nearly all are from Asia or Europe, nowhere near any legitimate visitor of my sites.

 

[Wullie]

Hi mate,

If you mean that they were code red etc, then it is machines that are affected that try to run the commands, not someone actually sitting there trying to hack your server in particular.

It attaches itself to a vulnerable server and then sends out requests trying to find other servers..

It is ok restricting ip's if you can but a business site could not block a large range of ip's because of a few scans on their servers..

Hope this helps Wullie

http://www.freshlookdesign.co.uk

http://www.searchit-now.co.uk

http://www.survivorhelp.co.uk

 

[Newposter]

Right, I'm only hosting my personal pages, my web design company pages, and a condo association located in the U.S. So I can afford to block a lot of the servers in countries that allow this nonsense through. I realize it's a sweep for vulnerability and not an attack on my machine in particular.

 

[garwain]

Maybe we should all send Micro$oft a nice big thankyou card for opening up this annoyance. Why don't we all print out every log line caused by codered trying our systems and send the logs to Big Brother... uh... I mean Bill.

It was so nice of Microsoft to release so many security holes. In the future maybe they can find a way to keep IIS related garbage on the buggy windows machines instead of building up our log files as well!

;-)

 

[mrgone4662]

You do realize that these holes (both code red and nimda) have been patched, right? They were patched a long time ago.

The problem here is with system administrators that don't keep their software updated.

 

[Einstein47]

There is a very simple configuration change that will keep your logs from getting full. You just need to do a RedirectMatch for both cmd.exe and root.exe to go to some junk URL. This will not only keep your logs from filling up, but it will reduce the bandwidth of sending out your 404 page to the Nimba worm.

What I did was in my httpd.conf file I added the following two lines:

RedirectMatch permanant (.*)/cmd.exe$ [URL unfurl="true"]http://stoptheviruscold.invalid$1[/URL]
RedirectMatch permanant (.*)/root.exe$ [URL unfurl="true"]http://stoptheviruscold.invalid$1[/URL]

Then do an apachectl restart and your logs should be safe.

Here is a Web Site of a guy who originally identified this "fix", and how he used the .htaccess file to do the same thing.

http://www.ecommercebase.com/article/566

Good luck Einstein47
(Love is like PI - natural, irrational, endless, and very important.)