Reading logs

Printable View

August 11th, 2002, 11:04 PM
Jonesy69

Reading logs

Ok guys, here it is, I'm new to all this security stuff, but it really interests me.

Anyways, today I had a webserver setup on my computer running Win XP home on cable. The webserver is a pretty simple program where I just have to put what I want to share, or an .html file in the webroot folder and set my router to forward everything on port 80 to my computer on our home network. When I run the server I always use the logging feature, I dont have scripting enabled, and I have a pretty good idea of whats coming and going via the firewall I use. Today after I ran it for a few hours I found this in the log. I dont know **** about them, but I was wondering if maybe you awesome dudes could help a newbie out. :)

66.xxx.154.xxx - - [11/Aug/2002:15:53:02 +0300] "/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c dir" 403 0

66.177.154.xxx - - [11/Aug/2002:15:53:03 +0300] "/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe?/c dir" 403 0

66.xxx.154.xxx - - [11/Aug/2002:15:53:04 +0300] "/scripts/..Á../winnt/system32/cmd.exe?/c dir" 100 0

66.xxx.154.xxx - - [11/Aug/2002:15:53:05 +0300] "/scripts/..À/../winnt/system32/cmd.exe?/c dir" 100 0

66.xxx.154.xxx - - [11/Aug/2002:15:53:06 +0300] "/scripts/..À¯../winnt/system32/cmd.exe?/c dir" 100 0

66.xxx.154.xxx - - [11/Aug/2002:15:53:07 +0300] "/scripts/..Áœ../winnt/system32/cmd.exe?/c dir" 100 0

66.xxx.154.xxx - - [11/Aug/2002:15:53:08 +0300] "/scripts/..5c../winnt/system32/cmd.exe?/c dir" 100 0

66.xxx.154.xxx - - [11/Aug/2002:15:53:09 +0300] "/scripts/..5c../winnt/system32/cmd.exe?/c dir" 100 0

66.xxx.154.xxx - - [11/Aug/2002:15:53:09 +0300] "/scripts/..%5c../winnt/system32/cmd.exe?/c dir" 100 0

66.xxx.154.xxx - - [11/Aug/2002:15:53:10 +0300] "/scripts/..%2f../winnt/system32/cmd.exe?/c dir" 100 0

I dont know what that means, but it worries me. :confused:
August 11th, 2002, 11:12 PM
alittlebitnumb

Looks like somebody is trying to open a command prompt and get a directory of contents from a web browser as the line:

/scripts/<--where your scripts are
/winnt/system32/<--the default location of where cmd.exe is located
/cmd.exe?/c dir<--the command the script will execute via known bug or exploit.

The best thing? Look for known vuleralbilities for the scripts you are running, and patch, patch,patch.

hope this helps.
August 11th, 2002, 11:13 PM
cheesegoduk

Yeah nothing bad was done, But yeah my answer is the same as the one above, also what web server are you running?
August 11th, 2002, 11:14 PM
KissCool

Somebody (your 66.xxx.154.xxx) has tried to launch an UNICODE attack on your server to gain access to cmd.exe (the comand line) and have full powers in your computer.
He has viewed you are under NT and tried this attack because non-patched versions of IIS are vulnerable to this.
August 11th, 2002, 11:32 PM
Tedob1

its the code red worm, and judging by the errors its getting, your not running iis. this worm is only a threat to unpatched (service pack 2) IIS servers. Get used to it. looks like its going to be around for a while.

if you decide to browse the computers web site that's attacking you, don't! or at least turn off all java funcionality first. this worm adds a script to the main page that copys itself to your computer even if you don't have a web server running.
August 11th, 2002, 11:33 PM
AphexTwin

"He has viewed you are under NT and tried this attack because non-patched versions of IIS are vulnerable to this."

kisscool--how would the intruder know he was using NT and IIS???
August 12th, 2002, 12:01 AM
problemchild

It's easy. http://uptime.netcraft.com/up/graph/
August 12th, 2002, 12:06 AM
Jonesy69

ok guys, I'm running a webserver called <http://www.mywebserver.org>MyWebServer</A>, I dont know how secure it is or anything like that. I'd like it to be as secure as possible, and really I want to get another computer running some variant of *nix, but untill then this will have to do. I dont have any scripts loaded, or enabled for that matter, I'm assuming if i did he should have gained access to my computer. Anything you all could reccomend that is resonably secure if this proggie turns out to be shist? It works great for me, but this incident has worried me, and upon closer inspection of the whole deal the IP is from the same network (se.client2.attbi) as me. I'm looking for direction here, thanks in advance.
August 12th, 2002, 01:06 AM
SoggyBottom

I agree with KissCool, someone has tried a typical IIS exploit called UNICODE. Microsoft Windows 4.0/5.0 Server are vulnerable to this attack.

The malicious user is trying to traverse your directory structure and gain access to your command prompt.

If you are running IIS version 4.0 or 5.0, get the "File Permission Canonicalization" patch from the microsoft website.

For more info go to, www.unicode.org
August 12th, 2002, 01:10 AM
Jonesy69

OK, heres something else, it may matter it may not. I just brought the server back online, and I keep getting the same thing, over and over again, from different IP's but on the same network. Would my ISP do this? I think not, but you never know nowdays.
August 12th, 2002, 01:14 AM
alittlebitnumb

Could the ISP be infected with this worm? Maybe that's where all the activity could be coming from. Or, there are a number of users from a DHCP using the same method of attack on different IP's?

Just a thought.
August 12th, 2002, 01:54 AM
Tedob1

read up on the worm, thats what it does. It scans for vulnerable computers within an ip range:

198.6.*.*. Those are all the ******* who don't know enough to patch their iis servers, that your seeing. there's a whole **** load of them. Although this worm is about 2 years old its still in the top 5 for this very reason. If it was a person doing this, imho, they would have telneted in, saw you were't running iis and continued on, the worm dosn't check.