Reading logs
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Reading logs

  1. #1
    Member
    Join Date
    Feb 2002
    Posts
    99

    Unhappy Reading logs

    Ok guys, here it is, I'm new to all this security stuff, but it really interests me.

    Anyways, today I had a webserver setup on my computer running Win XP home on cable. The webserver is a pretty simple program where I just have to put what I want to share, or an .html file in the webroot folder and set my router to forward everything on port 80 to my computer on our home network. When I run the server I always use the logging feature, I dont have scripting enabled, and I have a pretty good idea of whats coming and going via the firewall I use. Today after I ran it for a few hours I found this in the log. I dont know **** about them, but I was wondering if maybe you awesome dudes could help a newbie out.

    66.xxx.154.xxx - - [11/Aug/2002:15:53:02 +0300] "/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c dir" 403 0

    66.177.154.xxx - - [11/Aug/2002:15:53:03 +0300] "/msadc/..%5c../..%5c../..%5c/..../..../..../winnt/system32/cmd.exe?/c dir" 403 0

    66.xxx.154.xxx - - [11/Aug/2002:15:53:04 +0300] "/scripts/..../winnt/system32/cmd.exe?/c dir" 100 0

    66.xxx.154.xxx - - [11/Aug/2002:15:53:05 +0300] "/scripts/../../winnt/system32/cmd.exe?/c dir" 100 0

    66.xxx.154.xxx - - [11/Aug/2002:15:53:06 +0300] "/scripts/..../winnt/system32/cmd.exe?/c dir" 100 0

    66.xxx.154.xxx - - [11/Aug/2002:15:53:07 +0300] "/scripts/..../winnt/system32/cmd.exe?/c dir" 100 0

    66.xxx.154.xxx - - [11/Aug/2002:15:53:08 +0300] "/scripts/..5c../winnt/system32/cmd.exe?/c dir" 100 0

    66.xxx.154.xxx - - [11/Aug/2002:15:53:09 +0300] "/scripts/..5c../winnt/system32/cmd.exe?/c dir" 100 0

    66.xxx.154.xxx - - [11/Aug/2002:15:53:09 +0300] "/scripts/..%5c../winnt/system32/cmd.exe?/c dir" 100 0

    66.xxx.154.xxx - - [11/Aug/2002:15:53:10 +0300] "/scripts/..%2f../winnt/system32/cmd.exe?/c dir" 100 0

    I dont know what that means, but it worries me.

  2. #2
    Looks like somebody is trying to open a command prompt and get a directory of contents from a web browser as the line:

    /scripts/<--where your scripts are
    /winnt/system32/<--the default location of where cmd.exe is located
    /cmd.exe?/c dir<--the command the script will execute via known bug or exploit.

    The best thing? Look for known vuleralbilities for the scripts you are running, and patch, patch,patch.

    hope this helps.

  3. #3
    Senior Member cheesegoduk's Avatar
    Join Date
    May 2002
    Posts
    224
    Yeah nothing bad was done, But yeah my answer is the same as the one above, also what web server are you running?

  4. #4
    Senior Member
    Join Date
    Apr 2002
    Posts
    634
    Somebody (your 66.xxx.154.xxx) has tried to launch an UNICODE attack on your server to gain access to cmd.exe (the comand line) and have full powers in your computer.
    He has viewed you are under NT and tried this attack because non-patched versions of IIS are vulnerable to this.
    Life is boring. Play NetHack... --more--

  5. #5
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    its the code red worm, and judging by the errors its getting, your not running iis. this worm is only a threat to unpatched (service pack 2) IIS servers. Get used to it. looks like its going to be around for a while.

    if you decide to browse the computers web site that's attacking you, don't! or at least turn off all java funcionality first. this worm adds a script to the main page that copys itself to your computer even if you don't have a web server running.
    Bukhari:V3B48N826 The Prophet said, Isnt the witness of a woman equal to half of that of a man? The women said, Yes. He said, This is because of the deficiency of a womans mind.

  6. #6
    Member
    Join Date
    Nov 2001
    Posts
    64
    "He has viewed you are under NT and tried this attack because non-patched versions of IIS are vulnerable to this."

    kisscool--how would the intruder know he was using NT and IIS???
    *the wise do sooner what the fools do later.
    --Gracian

  7. #7
    Senior Member problemchild's Avatar
    Join Date
    Jul 2002
    Posts
    551
    Do what you want with the girl, but leave me alone!

  8. #8
    Member
    Join Date
    Feb 2002
    Posts
    99
    ok guys, I'm running a webserver called <http://www.mywebserver.org>MyWebServer</A>, I dont know how secure it is or anything like that. I'd like it to be as secure as possible, and really I want to get another computer running some variant of *nix, but untill then this will have to do. I dont have any scripts loaded, or enabled for that matter, I'm assuming if i did he should have gained access to my computer. Anything you all could reccomend that is resonably secure if this proggie turns out to be shist? It works great for me, but this incident has worried me, and upon closer inspection of the whole deal the IP is from the same network (se.client2.attbi) as me. I'm looking for direction here, thanks in advance.

  9. #9
    Senior Member
    Join Date
    Jan 2002
    Posts
    371
    I agree with KissCool, someone has tried a typical IIS exploit called UNICODE. Microsoft Windows 4.0/5.0 Server are vulnerable to this attack.

    The malicious user is trying to traverse your directory structure and gain access to your command prompt.

    If you are running IIS version 4.0 or 5.0, get the "File Permission Canonicalization" patch from the microsoft website.

    For more info go to, www.unicode.org
    SoggyBottom.

    [glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]

  10. #10
    Member
    Join Date
    Feb 2002
    Posts
    99
    OK, heres something else, it may matter it may not. I just brought the server back online, and I keep getting the same thing, over and over again, from different IP's but on the same network. Would my ISP do this? I think not, but you never know nowdays.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •