-
February 13th, 2003, 01:59 AM
#11
I really cant help with what might have happened, it may well have been RedHat's update that cuased the problem, but very hard to say.
If you system has been on the internet unprotected (ie firewall) for any length of time you may have been hacked, specially if you have broadband access and a static IP ...
You may want to check out chkrootkit that can be obtained from http://www.chkrootkit.org ... this small script will, when run, check you system for common rootkits currently installed and used by crackers.
If you are still in doubt, nebulus200's suggestion of pulling the machine off the internet and rebuilding is a sound suggestion, .... fresh install, update, harden then get it back online.
Good luck.
-
February 13th, 2003, 02:13 AM
#12
Member
Hey nebulus200, i am impressed with your knowledge on this matter and was wondering if you could point me in the right direction to learn something such as this. I am eager.
-
February 13th, 2003, 01:56 PM
#13
Senior Member
Originally posted here by Phat_Penguin
I really cant help with what might have happened, it may well have been RedHat's update that cuased the problem, but very hard to say.
If you system has been on the internet unprotected (ie firewall) for any length of time you may have been hacked, specially if you have broadband access and a static IP ...
You may want to check out chkrootkit that can be obtained from http://www.chkrootkit.org ... this small script will, when run, check you system for common rootkits currently installed and used by crackers.
If you are still in doubt, nebulus200's suggestion of pulling the machine off the internet and rebuilding is a sound suggestion, .... fresh install, update, harden then get it back online.
Good luck.
i think i will not format first...can look around on what had really happened to my box...anyway i hv nothing important in it...
-
February 13th, 2003, 02:33 PM
#14
Penguin: Listen to nebulus!!!!!
Firstly every file that was requested either 404ed, (not there), or 403ed, (access denied).
Secondly, and I have no knowledge worth anything about linux but I can tell you that even if you had dirs such as c:\winnt\system32 you wouldn't have anything meaningful in them. The files that were being requested wouldn't run on your box. So even if they were there there would crash your machine at worst if they were executed.
Thirdly, you said the symptoms began at 0715..... then you show your cron starting at...oh...0715.... funny that...<s>
Lastly.... This is a classic attack on IIS.... since you are running Apache.... you are just fine.
Nebulus: You say that the Apache logs are so much better than IIS, (and I don't want to get in a pissing match about "my OS is better than yours"..... ) but would you care to show me what information you were seeing in the Apache logs Penguin posted that I can't find in my IIS logs...... IIS can log in several different ways and at several levels of detail..... The logs Penguin posted are practically identical to the IIS logs I capture on my sites - right down to the order in which the info is logged.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
February 13th, 2003, 03:59 PM
#15
thx for link Phat_Penguin
that help me also lock down my box.
That's why I spend so much time here at AO. Cause the people are great and so is the information))
-
February 13th, 2003, 04:17 PM
#16
Tiger Shark:
Hmm...maybe it was how the web servers were setup that I had to investigate or maybe it was the version (I think they were 4.0 not 5.0), not sure. It seemed that every IIS server I had to look at (for investigations) was missing very critical information like the HTTP return code and browser version; however, when I logged in and checked the IIS server I have to maintain (wasn't given a choice unfortunately), the log file in fact did contain pretty much the same information, so not sure what happened to those logs that I have looked at in the past...
Point taken.
/nebulus
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
February 13th, 2003, 04:44 PM
#17
nebulus: np.... I thought you could see something I couldn't....<s> maybe the logging was set up differently on the older boxes but IIS 4 & 5 have had the same basic options for logging - it's just a matter of chosing what you want to see....... And, IMO, you can't log enough stuff..... Well, up until the point where you have used all your storage....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
March 1st, 2003, 07:12 AM
#18
Very Very nice observation and very good explination. to nebulus200
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|