|
-
August 11th, 2002, 11:04 PM
#1
Member
-
August 11th, 2002, 11:12 PM
#2
Looks like somebody is trying to open a command prompt and get a directory of contents from a web browser as the line:
/scripts/<--where your scripts are
/winnt/system32/<--the default location of where cmd.exe is located
/cmd.exe?/c dir<--the command the script will execute via known bug or exploit.
The best thing? Look for known vuleralbilities for the scripts you are running, and patch, patch,patch.
hope this helps.
-
August 11th, 2002, 11:13 PM
#3
Yeah nothing bad was done, But yeah my answer is the same as the one above, also what web server are you running?
-
August 11th, 2002, 11:14 PM
#4
Somebody (your 66.xxx.154.xxx) has tried to launch an UNICODE attack on your server to gain access to cmd.exe (the comand line) and have full powers in your computer.
He has viewed you are under NT and tried this attack because non-patched versions of IIS are vulnerable to this.
Life is boring. Play NetHack... --more--
-
August 11th, 2002, 11:32 PM
#5
its the code red worm, and judging by the errors its getting, your not running iis. this worm is only a threat to unpatched (service pack 2) IIS servers. Get used to it. looks like its going to be around for a while.
if you decide to browse the computers web site that's attacking you, don't! or at least turn off all java funcionality first. this worm adds a script to the main page that copys itself to your computer even if you don't have a web server running.
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
August 11th, 2002, 11:33 PM
#6
Member
"He has viewed you are under NT and tried this attack because non-patched versions of IIS are vulnerable to this."
kisscool--how would the intruder know he was using NT and IIS???
*the wise do sooner what the fools do later.
--Gracian
-
August 12th, 2002, 12:01 AM
#7
Do what you want with the girl, but leave me alone!
-
August 12th, 2002, 12:06 AM
#8
Member
ok guys, I'm running a webserver called <http://www.mywebserver.org>MyWebServer</A>, I dont know how secure it is or anything like that. I'd like it to be as secure as possible, and really I want to get another computer running some variant of *nix, but untill then this will have to do. I dont have any scripts loaded, or enabled for that matter, I'm assuming if i did he should have gained access to my computer. Anything you all could reccomend that is resonably secure if this proggie turns out to be shist? It works great for me, but this incident has worried me, and upon closer inspection of the whole deal the IP is from the same network (se.client2.attbi) as me. I'm looking for direction here, thanks in advance.
-
August 12th, 2002, 01:06 AM
#9
I agree with KissCool, someone has tried a typical IIS exploit called UNICODE. Microsoft Windows 4.0/5.0 Server are vulnerable to this attack.
The malicious user is trying to traverse your directory structure and gain access to your command prompt.
If you are running IIS version 4.0 or 5.0, get the "File Permission Canonicalization" patch from the microsoft website.
For more info go to, www.unicode.org
SoggyBottom.
[glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]
-
August 12th, 2002, 01:10 AM
#10
Member
OK, heres something else, it may matter it may not. I just brought the server back online, and I keep getting the same thing, over and over again, from different IP's but on the same network. Would my ISP do this? I think not, but you never know nowdays.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reading logs
Reply With Quote
