203.125.121.32 - - [06/Feb/2003:20:01:48 +0800] "GET / HTTP/1.1" 403 2898 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20020830"
203.125.121.32 - - [06/Feb/2003:20:01:49 +0800] "GET /icons/apache_pb.gif HTTP/1.1" 200 2326 "http://203.125.121.32/" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20020830"
203.125.121.32 - - [06/Feb/2003:20:01:50 +0800] "GET /icons/powered_by.gif HTTP/1.1" 200 581 "http://203.125.121.32/" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20020830"
220.255.74.215 - - [06/Feb/2003:22:08:48 +0800] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
220.255.74.215 - - [06/Feb/2003:22:08:50 +0800] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
220.255.74.215 - - [06/Feb/2003:22:08:50 +0800] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
220.255.74.215 - - [06/Feb/2003:22:08:50 +0800] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
220.255.74.215 - - [06/Feb/2003:22:08:51 +0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
220.255.74.215 - - [06/Feb/2003:22:08:51 +0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
220.255.74.215 - - [06/Feb/2003:22:08:51 +0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
220.255.74.215 - - [06/Feb/2003:22:08:51 +0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
220.255.74.215 - - [06/Feb/2003:22:08:51 +0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
220.255.74.215 - - [06/Feb/2003:22:08:52 +0800] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
220.255.74.215 - - [06/Feb/2003:22:08:52 +0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
220.255.74.215 - - [06/Feb/2003:22:08:52 +0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
220.255.74.215 - - [06/Feb/2003:22:08:52 +0800] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 974 "-" "-"
220.255.74.215 - - [06/Feb/2003:22:08:52 +0800] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 974 "-" "-"
220.255.74.215 - - [06/Feb/2003:22:08:52 +0800] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
220.255.74.215 - - [06/Feb/2003:22:08:52 +0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
220.255.74.215 - - [06/Feb/2003:23:14:07 +0800] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
220.255.74.215 - - [06/Feb/2003:23:14:08 +0800] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
220.255.74.215 - - [06/Feb/2003:23:14:09 +0800] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
220.255.74.215 - - [06/Feb/2003:23:14:09 +0800] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
220.255.74.215 - - [06/Feb/2003:23:14:09 +0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
220.255.74.215 - - [06/Feb/2003:23:14:10 +0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
220.255.74.215 - - [06/Feb/2003:23:14:10 +0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
220.255.74.215 - - [06/Feb/2003:23:14:10 +0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
220.255.74.215 - - [06/Feb/2003:23:14:10 +0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
220.255.74.215 - - [06/Feb/2003:23:14:11 +0800] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
220.255.74.215 - - [06/Feb/2003:23:14:11 +0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
220.255.74.215 - - [06/Feb/2003:23:14:11 +0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
220.255.74.215 - - [06/Feb/2003:23:14:14 +0800] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 974 "-" "-"
220.255.74.215 - - [06/Feb/2003:23:14:17 +0800] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 974 "-" "-"
220.255.74.215 - - [06/Feb/2003:23:14:26 +0800] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
220.255.74.215 - - [06/Feb/2003:23:14:29 +0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
203.125.11.114 - - [09/Feb/2003:23:27:13 +0800] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
203.125.11.114 - - [09/Feb/2003:23:27:14 +0800] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
203.125.11.114 - - [09/Feb/2003:23:27:14 +0800] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
203.125.11.114 - - [09/Feb/2003:23:27:15 +0800] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
203.125.11.114 - - [09/Feb/2003:23:27:15 +0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
203.125.11.114 - - [09/Feb/2003:23:27:15 +0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
203.125.11.114 - - [09/Feb/2003:23:27:15 +0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
203.125.11.114 - - [09/Feb/2003:23:27:15 +0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
203.125.11.114 - - [09/Feb/2003:23:27:18 +0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
203.125.11.114 - - [09/Feb/2003:23:27:21 +0800] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
203.125.11.114 - - [09/Feb/2003:23:27:33 +0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
203.125.11.114 - - [09/Feb/2003:23:27:33 +0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
203.125.11.114 - - [09/Feb/2003:23:27:33 +0800] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 974 "-" "-"
203.125.11.114 - - [09/Feb/2003:23:27:33 +0800] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 974 "-" "-"
203.125.11.114 - - [09/Feb/2003:23:27:34 +0800] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
203.125.11.114 - - [09/Feb/2003:23:27:34 +0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
203.125.41.23 - - [13/Feb/2003:06:08:55 +0800] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
203.125.41.23 - - [13/Feb/2003:06:09:16 +0800] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"

i found this in my linux box which i ran the httpd...i read some book and this is an indication that my system been hacked?is this kind of hacking onli effective on IIS?what wil this do to my system. what kind of software they using to do this kind of hacking?

Ok, short answer, no you haven't been hacked. What you are seeing is the various incarnations of nimda trying to check your box to see if you are succeptible. Here is why you are not hacked:

1) You are running linux. These vulnerabilities only effect M$ stuff running IIS.
2) Judging from the log files this looks like apache, which is not vulnerable to these attacks.

Lastly, Take a look at the entry after the "GET ...." xxx yyyy "-" "-"

xxx is the HTTP code returned by your webserver for that request
yyy is the number of bytes of the response

If you go to:

IETF specifications for HTTP (http://www.ietf.org/rfc/rfc2616.txt)

You will see in chapter 10 a definition of what the response codes mean. Every response either returned 400 or 404. A quick glimpse through the specs and you will see

404 == 404 Not Found
400 == 400 Bad Request

Neither of which indicate success...

Now if this was a different attack and you saw HTTP return 200 (ok), then you should start to worry....


That make sense?

/nebulus

EDIT:


203.125.121.32 - - [06/Feb/2003:20:01:48 +0800] "GET / HTTP/1.1" 403 2898 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20020830"
203.125.121.32 - - [06/Feb/2003:20:01:49 +0800] "GET /icons/apache_pb.gif HTTP/1.1" 200 2326 "http://203.125.121.32/" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20020830"
203.125.121.32 - - [06/Feb/2003:20:01:50 +0800] "GET /icons/powered_by.gif HTTP/1.1" 200 581 "http://203.125.121.32/" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20020830"


These lines are interesting for two reasons...

line 1: 403 was returned. This is forbidden.
line 2/3 : 200 was returned. This was successful. (no biggy, just downloaded some gifs)

Line 1: The last dash was replaced by "Mozilla/5.0 ...." . This is the type of browser that was used to access the page, if apache could figure it out. Notice how all those nimda lines end in "-" "-"...that means it couldn't detect a browser version...which means it was probably done either by a worm or someone using something like 'telnet' or 'netcat' to do the connection and then use HTTP commands to get the web page.


EDIT 2:

Man I love apache logs, so much information there (unlike IIS). The last thing of interest from your log files...notice how fast those connections were in your logs. Most of the connections from the ip where done several in the same second, most no more than five seconds apart. This should indicate to you that it was at a minimum automated (it would be difficult from someone to type that fast, if not impossible).



Verdit: Meaningless attacks by nimda infested hosts to which you were not vulnerable. T

This is a unicode attack and MS 4.0 and 5.0 IIS Webservers are vulnerable unless they are hardened or had the appropriate patches applied.

If you have a IIS Webserver, they are full of security vulnerabilities and exploits. I suggest that you get a copy of the IIS Lockdown Tool from the M$ webpage.

shit i really got hacked...just onli...about 0715hrs...the symtoms was that i suddenly cannot access my access_log...then i went to top my linux...i saw a process call some update one...then my system went a bit hangy and my hdd activities was on...after a while the hdd activities stopped...so i went to cat my access_log...everything was gone...security_log was gone, mysql, apache err log and sendmail log were all gone...i nmap my system and the port open were as usual...so i supposed someone just came in and del my log files...what did the guy do to del my log?my root passwd was not changed...how did he got access to my system?

what is the update process for?my system log also gone...

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=#post) by nebulus200
Ok, short answer, no you haven't been hacked. What you are seeing is the various incarnations of nimda trying to check your box to see if you are succeptible. Here is why you are not hacked:

1) You are running linux. These vulnerabilities only effect M$ stuff running IIS.
2) Judging from the log files this looks like apache, which is not vulnerable to these attacks.

Lastly, Take a look at the entry after the "GET ...." xxx yyyy "-" "-"

xxx is the HTTP code returned by your webserver for that request
yyy is the number of bytes of the response

If you go to:

IETF specifications for HTTP (http://www.ietf.org/rfc/rfc2616.txt)

You will see in chapter 10 a definition of what the response codes mean. Every response either returned 400 or 404. A quick glimpse through the specs and you will see

404 == 404 Not Found
400 == 400 Bad Request

Neither of which indicate success...

Now if this was a different attack and you saw HTTP return 200 (ok), then you should start to worry....


That make sense?

/nebulus

EDIT:



These lines are interesting for two reasons...

line 1: 403 was returned. This is forbidden.
line 2/3 : 200 was returned. This was successful. (no biggy, just downloaded some gifs) <- i think he is trying to test what web server i am running man, my log was all deleted. the powered_by.gif is a gif that shows 'powered by redhat linux' and the the apache_pb.gif is a picture of apache?shit man got spied. how command he used to issue the HTTP command in the telnet?

Line 1: The last dash was replaced by "Mozilla/5.0 ...." . This is the type of browser that was used to access the page, if apache could figure it out. Notice how all those nimda lines end in "-" "-"...that means it couldn't detect a browser version...which means it was probably done either by a worm or someone using something like 'telnet' or 'netcat' to do the connection and then use HTTP commands to get the web page.


EDIT 2:

Man I love apache logs, so much information there (unlike IIS). The last thing of interest from your log files...notice how fast those connections were in your logs. Most of the connections from the ip where done several in the same second, most no more than five seconds apart. This should indicate to you that it was at a minimum automated (it would be difficult from someone to type that fast, if not impossible).



Verdit: Meaningless attacks by nimda infested hosts to which you were not vulnerable. T

so u mean the attacker also runs on Linux baesd on the apache log?

penguin,

check your cron and make sure that your log files were not being rotated/compressed at this time, if so you may find the log files in the /var/log directory with the .gz extension. This could explain the hdd activity etc ...

nebulus200 is absolutely correct, your linux box is not compromised by this attack, I see it all the time here as well - it just fills the log files with rubbish.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=#post) by Phat_Penguin
penguin,

check your cron and make sure that your log files were not being rotated/compressed at this time, if so you may find the log files in the /var/log directory with the .gz extension. This could explain the hdd activity etc ...

nebulus200 is absolutely correct, your linux box is not compromised by this attack, I see it all the time here as well - it just fills the log files with rubbish.

Feb 13 07:15:42 bb-203-125-80-216 anacron[854]: Job `cron.daily' terminated
Feb 13 07:18:20 bb-203-125-80-216 anacron[854]: Job `cron.weekly' started
Feb 13 07:18:21 bb-203-125-80-216 anacron[4511]: Updated timestamp for job `cron.weekly' to 2003-02-13
Feb 13 07:22:08 bb-203-125-80-216 anacron[854]: Job `cron.weekly' terminated
Feb 13 07:22:08 bb-203-125-80-216 anacron[854]: Normal exit (2 jobs run)

this is onli left in my cron file...

If your access_log is gone, where did you get those entries?

I have no idea whether your box was hacked or not, but one thing I can say for certain:
Based on the logs you showed here, I can say with 100% certaintity, that it is 100% impossible that you would have been compromised by those attacks shown in the logs you printed here. You may have another service that is vulnerable (type netstat -an) that someone got in on, maybe you have a badly misconfigured web server that allows write access to your logs, who knows, there are alot of possibilities (not all of which mean you have been hacked).

As far as you losing files, it could be the result of a hack, maybe your logging daemon crashed, maybe your system lost power while writing to / opening the file and the file was lost...there are more than one reason that those logs could be gone.

If your system is fairly new (which is how I take it), back up your data only to a CDROM (don't access any network services) and build the system from scratch. Be sure to check any other computers that may have had a trust relationship with that computer for unauthorized access and if you aren't running a switched environment change all passwords.

Make sure your patches are up to date, make sure you have turned off all unused services, and search around for some tutorials on hardening linux. You mentioned something about an update...are you running red hat's auto update thing? Maybe it hosed up...not sure.

Good luck,

/nebulus

found something new...

203.66.22.53 - - [13/Feb/2003:07:40:03 +0800] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
203.66.22.53 - - [13/Feb/2003:07:40:04 +0800] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 1041 "-" "-" <- what is this line doing?
203.66.22.53 - - [13/Feb/2003:07:40:04 +0800] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
203.66.22.53 - - [13/Feb/2003:07:40:05 +0800] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
203.66.22.53 - - [13/Feb/2003:07:40:06 +0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
203.66.22.53 - - [13/Feb/2003:07:40:06 +0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
203.66.22.53 - - [13/Feb/2003:07:40:07 +0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
203.66.22.53 - - [13/Feb/2003:07:40:08 +0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
203.66.22.53 - - [13/Feb/2003:07:40:08 +0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
203.66.22.53 - - [13/Feb/2003:07:40:12 +0800] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
203.66.22.53 - - [13/Feb/2003:07:40:13 +0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
203.66.22.53 - - [13/Feb/2003:07:40:13 +0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"

lastest log...and i nmap the ip and it gave me this...

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
No tcp,udp, or ICMP scantype specified, assuming SYN Stealth scan. Use -sP if yo
u really don't want to portscan (and just want to see what hosts are up).
Host (203.66.22.53) appears to be up ... good.
Initiating SYN Stealth Scan against (203.66.22.53)
Adding open port 135/tcp
Adding open port 1025/tcp
Adding open port 445/tcp
Adding open port 1033/tcp
Adding open port 3372/tcp
Adding open port 1478/tcp
Adding open port 1026/tcp
Adding open port 139/tcp
Adding open port 3049/tcp
adjust_timeout: packet supposedly had rtt of 9028073 microseconds. Ignoring tim e.
The SYN Stealth Scan took 298 seconds to scan 1601 ports.
Interesting ports on (203.66.22.53):
(The 1591 ports scanned but not shown below are in state: closed)
Port State Service
80/tcp filtered http
135/tcp open loc-srv
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1033/tcp open netinfo
1478/tcp open ms-sna-base
3049/tcp open cfs
3372/tcp open msdtc

Nmap run completed -- 1 IP address (1 host up) scanned in 299 seconds

what r all this port open for?

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=#post) by nebulus200
If your access_log is gone, where did you get those entries?
i installed the system on 6 Feb 03 and b4 i left so few entries i have been looking at the log using Systems Log application...when my hdd was having some activites just now...i started to see nothing in the log file


[B]
I have no idea whether your box was hacked or not, but one thing I can say for certain:
Based on the logs you showed here, I can say with 100% certaintity, that it is 100% impossible that you would have been compromised by those attacks shown in the logs you printed here. You may have another service that is vulnerable (type netstat -an) that someone got in on, maybe you have a badly misconfigured web server that allows write access to your logs, who knows, there are alot of possibilities (not all of which mean you have been hacked).

As far as you losing files, it could be the result of a hack, maybe your logging daemon crashed, maybe your system lost power while writing to / opening the file and the file was lost...there are more than one reason that those logs could be gone.

If your system is fairly new (which is how I take it), back up your data only to a CDROM (don't access any network services) and build the system from scratch. Be sure to check any other computers that may have had a trust relationship with that computer for unauthorized access and if you aren't running a switched environment change all passwords.

Make sure your patches are up to date, make sure you have turned off all unused services, and search around for some tutorials on hardening linux. You mentioned something about an update...are you running red hat's auto update thing? Maybe it hosed up...not sure.

Good luck,

/nebulus i am not sure what redhat auto update is it...i just setup the linux on adsl ethernet modem...so basically i am directly on the net...no firewall or what...

No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=3.00%P=i686-pc-linux-gnu%D=2/13%Time=3E4AE295%O=135%C=1)
TSeq(Class=RI%gcd=1%SI=A3709%TS=0)
TSeq(Class=RI%gcd=1%SI=85CFE%IPID=RD%TS=0)
TSeq(Class=RI%gcd=2%SI=3EB2E%TS=0)
T1(Resp=Y%DF=Y%W=402E%ACK=S++%Flags=AS%Ops=MNWNNT)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=N)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=N)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)

what do u think the OS running on 203.66.22.53?

Refer back to nebulus200 first reply .... that line returned a 404 message (File not found) so basically its knocking on the door but can't come in - nothing to worry about.

I see the hdd activity corresponded with cron job time stamps. That would explain the activity.

If you are new to linux check out Bastille at http://www.bastille-linux.org, it is a hardening/firewall script which has been written for Redhat and others and will help you lock down your machine fairly securely until you get the hang of things. It has a user friendly GUI and has a step by step configuration with explanations as to what it is doing - so the set up is fairly straight forward.

As you are on an adsl connection you really do need to lock the machine down as you will be a prime target for crackers.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=#post) by Phat_Penguin
Refer back to nebulus200 first reply .... that line returned a 404 message (File not found) so basically its knocking on the door but can't come in - nothing to worry about.

I see the hdd activity corresponded with cron job time stamps. That would explain the activity.

If you are new to linux check out Bastille at http://www.bastille-linux.org, it is a hardening/firewall script which has been written for Redhat and others and will help you lock down your machine fairly securely until you get the hang of things. It has a user friendly GUI and has a step by step configuration with explanations as to what it is doing - so the set up is fairly straight forward.

As you are on an adsl connection you really do need to lock the machine down as you will be a prime target for crackers.

but what do u suspect could have happened?thanks for providing the site...i will try to harden it from now..

I really cant help with what might have happened, it may well have been RedHat's update that cuased the problem, but very hard to say.

If you system has been on the internet unprotected (ie firewall) for any length of time you may have been hacked, specially if you have broadband access and a static IP ...

You may want to check out chkrootkit that can be obtained from http://www.chkrootkit.org ... this small script will, when run, check you system for common rootkits currently installed and used by crackers.

If you are still in doubt, nebulus200's suggestion of pulling the machine off the internet and rebuilding is a sound suggestion, .... fresh install, update, harden then get it back online.

Good luck.

Hey nebulus200, i am impressed with your knowledge on this matter and was wondering if you could point me in the right direction to learn something such as this. I am eager.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=#post) by Phat_Penguin
I really cant help with what might have happened, it may well have been RedHat's update that cuased the problem, but very hard to say.

If you system has been on the internet unprotected (ie firewall) for any length of time you may have been hacked, specially if you have broadband access and a static IP ...

You may want to check out chkrootkit that can be obtained from http://www.chkrootkit.org ... this small script will, when run, check you system for common rootkits currently installed and used by crackers.

If you are still in doubt, nebulus200's suggestion of pulling the machine off the internet and rebuilding is a sound suggestion, .... fresh install, update, harden then get it back online.

Good luck.

i think i will not format first...can look around on what had really happened to my box...anyway i hv nothing important in it...

Penguin: Listen to nebulus!!!!!

Firstly every file that was requested either 404ed, (not there), or 403ed, (access denied).
Secondly, and I have no knowledge worth anything about linux but I can tell you that even if you had dirs such as c:\winnt\system32 you wouldn't have anything meaningful in them. The files that were being requested wouldn't run on your box. So even if they were there there would crash your machine at worst if they were executed.
Thirdly, you said the symptoms began at 0715..... then you show your cron starting at...oh...0715.... funny that...<s>
Lastly.... This is a classic attack on IIS.... since you are running Apache.... you are just fine.

Nebulus: You say that the Apache logs are so much better than IIS, (and I don't want to get in a pissing match about "my OS is better than yours"..... ;) ) but would you care to show me what information you were seeing in the Apache logs Penguin posted that I can't find in my IIS logs...... IIS can log in several different ways and at several levels of detail..... The logs Penguin posted are practically identical to the IIS logs I capture on my sites - right down to the order in which the info is logged.

thx for link Phat_Penguin
that help me also lock down my box.
That's why I spend so much time here at AO. Cause the people are great and so is the information:)))

Tiger Shark:
Hmm...maybe it was how the web servers were setup that I had to investigate or maybe it was the version (I think they were 4.0 not 5.0), not sure. It seemed that every IIS server I had to look at (for investigations) was missing very critical information like the HTTP return code and browser version; however, when I logged in and checked the IIS server I have to maintain (wasn't given a choice unfortunately), the log file in fact did contain pretty much the same information, so not sure what happened to those logs that I have looked at in the past...

Point taken.

/nebulus

nebulus: np.... I thought you could see something I couldn't....<s> maybe the logging was set up differently on the older boxes but IIS 4 & 5 have had the same basic options for logging - it's just a matter of chosing what you want to see....... And, IMO, you can't log enough stuff..... Well, up until the point where you have used all your storage.... ;)

Very Very nice observation and very good explination. to nebulus200