Web Site Attack?
Results 1 to 8 of 8

Thread: Web Site Attack?

  1. #1
    Senior Member
    Join Date
    Oct 2001
    Posts
    752

    Web Site Attack?

    I just saw something very interesting in my Apache access log. It was about 50-100 pages of this:


    ‚‚‚‚‚‚ƒƒƒ„„„‚‚‚€€€€€€‚‚‚ƒƒƒ€€€~~~}}}{{{|||}}}}}}|||{{{|||{{{yyyyyyyyyyyyyyyzzz{{{|||}}}|||{{{{{{zzzzzzyyywwwuuuvvvxxxwwwwwwvvvtttssssssqqqmmmlllnnnqqqoooppprrrpppnnnnnnpppmmmllllllnnnppprrrqqqoooooollliiieeedddbbb`````````^^^^^^VVVWWWYYY]]]ZZZWWWYYYZZZ[[[^^^cccdddbbb___^^^```cccaaaeeehhhgggbbbccceee]]]ccccccccc```^^^___GGG%%%











     $$$"""(((BBBeeeyyy†††ŒŒŒ‹‹‹‹‹‹ŽŽŽŽŽŽŒŒŒŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽiiiOOO OOORRRWWW!!! JJJ OOORRRWWW!!! JJJ OOORRRWWW!!! JJJ OOORRRWWW!!! JJJ OOORRRWWW!!! JJJ <<<•••†††‰‰‰‹‹‹___$$$ZZZ???***@@@TTT{{{ŠŠŠ†††|||BBBWWWŠŠŠŠŠŠ‚‚‚===


    ***---###%%%


    ......666@@@uuu‹‹‹‡‡‡ˆˆˆ‰‰‰GGG;;;aaaiiiNNN===&&&'''OOO<<<

    I would like to know what this is, and if it is indeed an attack and not just the software going nuts, what the hell were they trying to do? The only thing I can think of is some lamer script kiddie flood attack. I looked at my site, and it appears unharmed. I have no addresses or anything linking this to any person. That's one reason I suspect this may just be the software.
    Share on Google+

  2. #2
    Have you ever seen an encrypted back door ?
    It sort of looks like that, obviously it could be anything from a program screwing up or not booting your computer right. Did you install any new software. What about your other logs ?
    I think if I was a hacker I would rather use your computer for launching other attacks so check the other logs also check the time. I would have modified the time on the server and changed it so it would fit the logs that way it would look like I was never there. Try scanning it with Virus Checkers. Take every precaution. Be Paronoid, it's the safest way to use a computer. lol, Install keyloggers that can only be set off with remote access. You know do the security checks.

    God that sucks though because when you get stuff like that you don't know what the hell it is. I feel for you man.
    Share on Google+

  3. #3
    Senior Member
    Join Date
    Sep 2001
    Posts
    412
    Are you sure you're not looking at a gzipped log file?
    Share on Google+

  4. #4
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    If all the ip addresses that sent this all begin with the same group as yours does, your looking at nimda hard at work. i'm using iis here and have miles and miles of logs with all those infected computers serching for the vulnerability on mine. You'd think they woulda' patched it by now.
    Share on Google+

  5. #5
    Senior Member
    Join Date
    Oct 2001
    Posts
    752
    Originally posted by petemcevoy
    Are you sure you're not looking at a gzipped log file?
    No, it's not in a gzip archive. I have a record of somebody who came to my site almost immediately after this garbage, but I think it was just a coincidence. I traced it with NeoTrace Pro, and he lives really close to Tripstone, so if I can determine it was him, maybe I can get Tripstone to kick his ass for me.

    Tedob1: I don't use IIS. I use Apache, so I won't necessarily have the same problems as you.

    freeOn: Yes, I already take every precaution possible. If you saw my setup, you would be telling me to back off.
    Share on Google+

  6. #6
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786

    re:stflook

    i read you were using apache and nimda dos't affect apache but it does run the same checks on all servers regardless.
    this is what it looks like in windows notepad:

    01:30:29 63.236.25.132 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 500
    01:30:29 63.236.25.132 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404
    01:30:29 63.236.25.132 GET /msadc/..%5c../..%5c../..%5c/..Α../..Α../..Α../winnt/system32/cmd.exe 404
    01:30:29 63.236.25.132 GET /scripts/..Α../winnt/system32/cmd.exe 404
    01:30:29 63.236.25.132 GET /scripts/winnt/system32/cmd.exe 404
    01:30:29 63.236.25.132 GET /winnt/system32/cmd.exe 404
    01:30:29 63.236.25.132 GET /winnt/system32/cmd.exe 404
    01:30:29 63.236.25.132 GET /scripts/..%5c../winnt/system32/cmd.exe 404
    01:30:29 63.236.25.132 GET /scripts/..%5c../winnt/system32/cmd.exe 404
    01:30:29 63.236.25.132 GET /scripts/..%5c../winnt/system32/cmd.exe 404
    01:30:29 63.236.25.132 GET /scripts/..%2f../winnt/system32/cmd.exe 404

    I dont know what it looks like in apache(might not be an ascii log could be unicode and not look like this) but it does try anything accepting requests on port 80 even if it is apache. And right now my internet connection is slower than snail snot on a cold day because of it.
    Share on Google+

  7. #7
    Senior Member
    Join Date
    Oct 2001
    Posts
    752
    Yep, that's roughly what it looks like in Apache too. I have had an attack like that before too, only it was about 5-10 pages of that. The IP traced back to an AOL account, so I didn't bother to pursue it.
    Share on Google+

  8. #8
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    ok then....nevermind.
    just need to put my 2 cents in.

    Hope yyou catch that unbathed person who has carnal knowledge of the maternal parent.
    Share on Google+

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •