Stupid Kiddies (check this out) funny
Results 1 to 9 of 9

Thread: Stupid Kiddies (check this out) funny

  1. #1
    Senior Member
    Join Date
    Dec 2001
    Posts
    304

    Stupid Kiddies (check this out) funny

    Ok, its not a joke or anything but merly pointing out how stupid people are.

    Attached is some of a log file from a red hat server running apache. Keep in mind if you go to www.brytechsolutions.net (nothing even there yet) it clearly states at the bottom with pictures no less that it is an apache server running red hat 8. But still this persistant kiddie is determined to use windows exploits against it. Kindof funny. Still going on right now.

    Also , i know with unix you can use the route command to send a particular IP to /dev/null .... Can this be done with linux.

    Anyways check it out
    Violence breeds violence
    we need a world court
    not a republican with his hands covered in oil and military hardware lecturing us on world security!

  2. #2
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    This looks more like a Code Red signature than a Kiddie attack. I get these entries on a daily basis on our Apache servers as well.


    Cheers:
    DjM

  3. #3
    Senior Member
    Join Date
    Dec 2001
    Posts
    304
    Thanks, I never thought of that. So it was basicly trying to infect the server and it was not able to so it moved on?

    Does anyone know anything about my route question?
    Violence breeds violence
    we need a world court
    not a republican with his hands covered in oil and military hardware lecturing us on world security!

  4. #4
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    I think all the attacks you see in this log are automated and not the result of some kiddie. AFAIK, they come from code red, nimda and variants of the same.

    All web servers on the 'net see this, in approximately the same quantity as you do. It is perfectly normal.

    Code:
    /index.afx?a=search&term=Computers
    This is a bit funny though, it seems that a spider ia_archiver is looking for lots of documents and scripts which don't exist on your server. I don't know why it would do this, unless you have replaced a server where these documents did exist before.

    There are also other requests for things that aren't there that clearly aren't caused by worms. Presumably you've changed your server considerably recently.

    Also , i know with unix you can use the route command to send a particular IP to /dev/null .... Can this be done with linux.
    Erm, don't really know what you mean. /dev/null is a special file for sending streams to. Network packets are not streams, you cannot redirect them per se.

    It is true that you could set up a duff route to a particular IP, which would have the effect of causing packets *to* that host to be routed incorrectly and perhaps not reach their destination. One possible option is to route them via loopback (they may loop until their ttl ran out)

    It won't make packets *from* that host get eaten, but without any responses, the host will find communication difficult.

    However, this is completely unnecessary under Linux as you can use the kernel filtering (i.e. firewalling) options to do the same thing much more sensibly. This is well documented.

  5. #5
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    although its true code red variants use similar code ... they dosn't do this "c+dir"

    it does look like a script kiddie tool.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  6. #6
    Member
    Join Date
    Dec 2002
    Posts
    88

    Talking

    Hmm is there a great difference between a script kiddies and a virus like code red? Perhaps the viruses are smarter? Another programa that would substitute a bunch of kiddies was the worm spread by Robert Morris. A bad happening, but I think it was quite a clever piece of code..

  7. #7
    Senior Member
    Join Date
    Dec 2001
    Posts
    321
    For the /dev/null thing can't you use ipchains to definetly block anything that comes from that ip.
    assembly.... digital dna ?

  8. #8
    Senior Member
    Join Date
    Dec 2002
    Posts
    125
    I hope I don't get flamed for this.....can anyone point me to a tutorial or a website or book that teaches you how to read logs like this? I would like to understand joke behind it....

  9. #9
    I just scanned my iis logs for cmd.exe?/c+dir and got well over 3000 times where its used for the last month..

    Its kinda scary... heh
    Missing em ol BBS' days!
    Virtus - Splashgame.org

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •