|
-
February 28th, 2002, 08:46 PM
#1
Junior Member
 Hack Attempt ? on IIS ? Log Files ?
Hi people,
i would like to hear some opinions here please ...
Im starting to find more and more the following lines on one of my server log files:
01:11:14 196.31.110.211 GET /scripts/root.exe 404
01:11:15 196.31.110.211 GET /MSADC/root.exe 404
01:11:17 196.31.110.211 GET /c/winnt/system32/cmd.exe 404
01:11:18 196.31.110.211 GET /d/winnt/system32/cmd.exe 404
01:11:20 196.31.110.211 GET /scripts/..%5c../winnt/system32/cmd.exe 404
01:11:21 196.31.110.211 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404
01:11:23 196.31.110.211 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404
01:11:24 196.31.110.211 GET /msadc/..%5c../..%5c../..%5c/..Á�../..Á�../..Á�../winnt/system32/cmd.exe 404
01:11:25 196.31.110.211 GET /scripts/..Á�../winnt/system32/cmd.exe 404
01:11:27 196.31.110.211 GET /scripts/winnt/system32/cmd.exe 404
01:11:28 196.31.110.211 GET /scripts/../../winnt/system32/cmd.exe 404
01:11:30 196.31.110.211 GET /scripts/..\../winnt/system32/cmd.exe 404
01:11:31 196.31.110.211 GET /scripts/..S5c../winnt/system32/cmd.exe 404
01:11:32 196.31.110.211 GET /scripts/..S5c../winnt/system32/cmd.exe 404
01:11:34 196.31.110.211 GET /scripts/..%5c../winnt/system32/cmd.exe 404
01:11:35 196.31.110.211 GET /scripts/..%2f../winnt/system32/cmd.exe 404
If im not wrong ... which i think is the case this is merely a hack attemp,
NOW - question here .... the resulting code 404 is a denial result on the iis server right ?
a resulting 200 code will be an accepted query , please tell me if im not wrong.
Also, is anybody familiar with the type of hack this people are trying to use on my server ? just by reading the lines i can say they are trying to execute the dos prompt of my server.
Is this an old hack ? how new is it ?
Could it really be a real live threat on my system ? or it basically looks like a "script-kiddie" work ?
I would like to hear your ideas ... suggestions ...
Thanks 
-
February 28th, 2002, 08:49 PM
#2
It's code red or nimda. Have you patched your IIS for those. if so you have nothing to fear.
Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
- Samuel Johnson
-
February 28th, 2002, 08:53 PM
#3
Junior Member
 Thanks
Well yes i have ...
so i guess im ok ...
=============
-
February 28th, 2002, 08:56 PM
#4
Sounds like it. You might consider trying to notify the people who you believe to be infected but that's your option. Just for your benefit. Or you might want to set up a tarpit to reduce the amount of bandwidth those things use.
Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
- Samuel Johnson
-
February 28th, 2002, 08:56 PM
#5
Senior Member
They could actually be looking for holes, I'll be the first to say that IIS is a security risk waiting to happen, it seems they find a new hole every day.
Either way, I encourage you to check ot this site
George's security exploits
He shows alot of IIS exploits, it would be good to keep an eye on his site, you'll notice some things you need to patch very quickly
yes, 404 means they got nowhere...and 200 sounds familiar but I can't quite put my name by it yet, I'm a little rusty.
If you have holes, then you do have alot to worry about, IIS seems to have alot of holes that allow someone to execute commands from your system, if they do succeed at running cmd.exe, they have access to just about everything
hope I was of some help
SlackWare my first, Debian my second....building my box into the ultimate weapon
-
February 28th, 2002, 08:59 PM
#6
Senior Member
another thing, careful with Microsoft patchs....as you'll notice in one of his expolits, one exploit he found was actually caused by a M$ patch...and he strongly urged to get rid of it.
SlackWare my first, Debian my second....building my box into the ultimate weapon
-
February 28th, 2002, 09:05 PM
#7
HTTP 200 means they got though 
-
February 28th, 2002, 10:05 PM
#8
Junior Member
Hey man, look at this site: http://www.incidents.org/react/nimda.pdf
Is a good site that tells you everything about that worm.
-
March 4th, 2002, 12:10 AM
#9
I think it is Unicode exploit script used, just patch your system with all pathes and dont worry...
www.xatrix.org
-
March 4th, 2002, 12:29 AM
#10
From looking at these log entries I would say that this is a manual hack attempt Here's why:
01:11:14 196.31.110.211 GET /scripts/root.exe 404
01:11:15 196.31.110.211 GET /MSADC/root.exe 404
01:11:17 196.31.110.211 GET /c/winnt/system32/cmd.exe 404
......
01:11:34 196.31.110.211 GET /scripts/..%5c../winnt/system32/cmd.exe 404
01:11:35 196.31.110.211 GET /scripts/..%2f../winnt/system32/cmd.exe 404
There is a 20 secend period over which these url's are being tried. If a script/worm was doing this, it would be much faster. It would be more like 1 second. It looks as though someone at 196.31.110.211 is physically trying to run these executables on your server from their box.
Now obviously, the person behind this is probably a novice because of the nature of the hack. It looks like you're fairly safe from this person because all the attempts resulted in a HTTP 404 error. This means they were unsuccessful. As long as yoour directory permissions are correct you have nothing to worry about.
I'd consider following up this IP address and having a friendly chat to this person's ISP. They're probably too stupid to do any real damge but you don't want them nosing around your system  .
OpenBSD - The proactively secure operating system.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
