trying to break in to this site (not what it looks like)
Results 1 to 9 of 9

Thread: trying to break in to this site (not what it looks like)

  1. #1
    Junior Member
    Join Date
    Oct 2001
    Posts
    8

    trying to break in to this site (not what it looks like)

    hi all! i hope this is in the right place. i was looking at the logs for people trying to hack this web site. and i dont really undertsand all of it. can someone tell me what all this means if they have the time and everything. thank you.

    Activity: (HTTP_Shells)
    Source IP: (63.108.181.201) Source Port: (4572)
    Destination IP: (192.172.226.77) Destination Port: (80)
    Date & Time Code: (20020705104124)
    TiMMY

  2. #2
    Senior Member
    Join Date
    Feb 2002
    Posts
    177
    Look like someone is trying to gain a shell/root with the said web server. This would give them access to do what they want with the server.

  3. #3
    Senior Member roswell1329's Avatar
    Join Date
    Jan 2002
    Posts
    670
    Each log entry will give you the following:
    Activity: The type of attack that is being attempted
    Source IP: Fairly explanatory Source Port: The port the attack is being launched from.
    Destination IP: Target system here at AO Destination Port: Port targeted on target machine
    Date and Time Code: 2002 (year) 07 (month) 05 (day) 10 (hour) 41 (minute) 24 (second)

    According to prodikal and antihaxor, http_shells is just a lame DoS attack:

    http://www.antionline.com/showthread...989#post563447
    /* You are not expected to understand this. */

  4. #4
    Junior Member
    Join Date
    Oct 2001
    Posts
    8
    thank you for the reply that was really fast. so http_shells is just a DoS attack then?
    TiMMY

  5. #5
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    There was a thread about this a while back: here

    However, one thing I have been meaning to ask about, is it appears to me that these haven't changed in a very long time, and if I had to guess at a date, since may 7th, 2002. I would suspect that if I were to try something to make alarms go off, it wouldn't show up there (not saying it wouldn't be seen by JP though, and I mean strictly from the standpoint of generating a new event in the list, not from a standpoint of doing something malicious).

    And as far as the specific event itself, there are so many false positives with that signature, I wouldn't be suprised if those are all irrelvant false positives.

    Nebulus

    Just a quick clarification, cause I have seen this twice in a few threads now,

    http_shells is NOT A DOS ATTACK

    It just means that the IDS detected a possible reference to a shell in the URL (for example sh, csh, ksh, bash). Read the information from ISS (i provided it in the thread I referenced) and you will see this.

    Nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  6. #6
    Looks like someone was trying to access shell interpreters sometimes located in the cgi-bin directory. These interpreters (such as sh, csh, etc) can cause commands to be executed causing password files to be emailed as an example.

    If you can, check the request to see what interpreter the person was trying to access. Then check the cgi-bin directory for that particular interpreter. If it exist, then you may want to move the interpreter to another directory and change your www server config to reflect the new location.

    Hope this helps.


  7. #7
    Senior Member roswell1329's Avatar
    Join Date
    Jan 2002
    Posts
    670
    You're absolutely right, nebulus200 and swarisd! After a quick search, I came across this:

    http://www.kbeta.com/attacklist/HTTP_Shells.htm

    Who would be silly enough to put shell interpreters in the cgi-bin directory? I could run anything I want on your box from the web! Thanks for catching my goof, guys.

    Here's the link to the whole list of attack descriptions:

    http://www.kbeta.com/attacklist/Real...%20Decodes.htm
    /* You are not expected to understand this. */

  8. #8
    Junior Member
    Join Date
    Oct 2001
    Posts
    8
    thank you for clearing that up for me!
    TiMMY

  9. #9
    Senior Member
    Join Date
    Jul 2002
    Posts
    225
    Probably a Whisker scan. Kiddie stuff, as I doubt anyone in the know would honestly think JP left any gaping holes in the cgi-bin.
    \"Now it\'s time to erase the story of our bogus fate. Our history as it\'s portrayed is just a recipe for hate!\"
    -Bad Religion

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •