Printable View
I have one suggestion for you. Since you are running ZoneAlarm, go to Visualize Software and get a copy of VisualZone. It is a ZoneAlarm log reader. It parses the log entries out in a spreadsheet-type form, with some built-in lookup features (WHOIS and a map feature). It will also do a reverse NetBios lookup on all attackers, if you want!
I use ZA, and I hated trying to read through the logs, until I found VisualZone. I think it will help.
Boy. Great minds think alike. I was just going to ask if anyone knew of a proggy that would format ZALogs. I knew I remembered something about that.
Thanks.
If I may impose myself a little more on you nice folks, I have a question.
Right now, I have the server up with Savant NOT running.
The fireway is getting pounded. The alerts are coming up so fast I can't even work on the box. I know I can turn off the alerts but, mu question is this.
Since the ebay auctions are still being viewed the requests from the pics embeded in the ebay descriptions are what is pounding the firewall.....right?
Thanks again...and again...LOL
Very interesting thread. Kapperdog I would just like to say that you have a really good attitude about this whole thing. I would have probably freaked out if this happened to me. I have learned a lot from this thread. THis is the first time I have actually seen logs of a hack and what they were trying to do. I am new and very much interested in what he was trying to do. I can't make a whole lot of sense of what he was doing besides some of the obvious stuff such as creating himself as a user and disabling netbios and other various things but there is a lot of the code that I don't understand. I was wondering if anyone might give a brief description of what exactly the hacker was doing or trying to do. Thanks
coVert
Ah, just kids havin' fun.
I wouldn't suggest ZA on a LAN, it has crap NetBIOS support....I use Outpost from www.agnitum.com
You can set netBIOS to Work only on a specific IP range or a list of IP's, it sure made my life alot better :)
As for the whole format you drive stuff, forget it, your system hasn't been Broken wide open. They found a small hole which you'v closed, nothing to worry about, looks like you found out before they started uploading data. Oh well, your safe for another day :) Just get a firewall, undo the reg's and delete their data and you should be sorted....I suggest you get spyBot search and destroy while your at it, it's free and should be able to pick up on any rooting kit's or hacking tools still left on your system :)
Hope every thing works out.
- Noia
In for a little comic relief?
As expected, I'm pouring over this box looking for abnormal characteristics and I find a zip file with a name a mile long that sure looks like a hackers file. I mean c'mon, who else would start a file name with "avenge"?
avenge$201.5$20microdefs2_microdefsb.feb_symalllanguages_livetri.zip
Well, being a little paranoid, I am afraid to open the file so, I copy it to a floppy and take it to an old box I used to use to play with virii and stuff.
Had to laugh my ass off when I discovered that avenge could also stand for anti virus english. LMAO
You would think Norton would know better than to scare me like that. LMAO
I have had the server up for a day and, although the firewall is getting hit pretty heavy, I think the skiddies might have left in search of an easier box.
I have restarted Savant to see if there are any attempts directed at that.
Any suggestions for a good proggy to watch my ports.
Right now, I'm just using netstat but, I used to have a proggy in the past called portmon that had a few more features.
Any suggestions on a current monitor?
Anyone recognize this.......
217.88.188.12 - - [20/Feb/2003:13:42:59 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\" 403 259
217.88.188.12 - - [20/Feb/2003:13:43:00 -0500] "GET /scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c:\" 403 259
Kapperdog,
Great thread .. have reallly enjoyed reading and following this one.
I might be wrong but that looks like the classic Code Red, Nimda exploit - see it all the time in my apache logs. Your server is returning a 403 code, this is good :)
Google the first part of the string "GET /scripts/..%c0%af../winnt/system32/cmd.exe?" and you will find hundreds of links to info on this exploit.
Regards,
PP
Phat_Penguin is right, it is Code Red, my snot logs are full of these hits.
You may also see hits something like this:Quote:
length = 94
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
010 : 32 66 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 2f../winnt/syste
020 : 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 m32/cmd.exe?/c+d
030 : 69 72 20 72 20 48 54 54 50 2F 31 2E 30 0D 0A 48 ir r HTTP/1.0..H
040 : 6F 73 74 3A 20 77 77 77 0D 0A 43 6F 6E 6E 6E 65 ost: www..Connne
050 : 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A ction: close..
This too, is Code Red.Quote:
length = 72
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 72 6F 6F GET /scripts/roo
010 : 74 2E 65 78 65 3F 2F 63 2B 64 69 72 20 48 54 54 t.exe?/c+dir HTT
020 : 50 2F 31 2E 30 0D 0A 48 6F 73 74 3A 20 77 77 77 P/1.0..Host: www
030 : 0D 0A 43 6F 6E 6E 6E 65 63 74 69 6F 6E 3A 20 63 ..Connnection: c
040 : 6C 6F 73 65 0D 0A 0D 0A lose....
Your not running IIS, so you should be fine.
Cheers:
Some of you have given some VERY bad advice here. Having the hacked PC as the DMZ host doesn't disconnect the hacked machine from the rest of your network with home routers. All it does is forward all ports to the IP address you've specified as the DMZ host. Because of this, the other PC's on the LAN can be compromised very easily using the DMZ host, once it's been hacked. To do this, all the hacker would have to do is determine the DMZ host's real IP address, and from the hacked host, scan the same subnet for any more PC's that respond. Then ordinary netBIOS exploits can be used if the network is based on windows PC's. I know this because I used to do nasty things like this a couple of years ago. Even if the other PC's are firewalled, chances are the DMZ host will be trusted to maintain connectivity with the other PC's on the LAN. As proof of this, one of KapperDog's posts says after installing ZA on the compromised PC, it's getting lots of traffic from the other machines on the network. This shows the DMZ host is not isolated from the rest of the network.
The proper advice would be to firewall the other PC's, and don't let any traffic from the compromised host into the other computers. Personally, If I was going to learn from this, I'd leave the hacked PC as the DMZ host, and firewall it off by putting firewall software on the other computers, and specifically blocking the DMZ IP address. Then the hacker can do as they please whilst your other PC's are protected. Doing anything else puts the other PC's at risk, if they are discovered. I'd also consider putting firewall software on the compromised machine, but allowing all traffic from all addresses, and having a rule to specifically block outgoing traffic to the router's IP address so the router is unreachable from the hacked PC. This is to prevent any settings being changed, which could make the situation worse.
Just my opinion...