|
-
February 13th, 2003, 12:40 AM
#4
Senior Member
**** i really got hacked...just onli...about 0715hrs...the symtoms was that i suddenly cannot access my access_log...then i went to top my linux...i saw a process call some update one...then my system went a bit hangy and my hdd activities was on...after a while the hdd activities stopped...so i went to cat my access_log...everything was gone...security_log was gone, mysql, apache err log and sendmail log were all gone...i nmap my system and the port open were as usual...so i supposed someone just came in and del my log files...what did the guy do to del my log?my root passwd was not changed...how did he got access to my system?
what is the update process for?my system log also gone...
Originally posted here by nebulus200
Ok, short answer, no you haven't been hacked. What you are seeing is the various incarnations of nimda trying to check your box to see if you are succeptible. Here is why you are not hacked:
1) You are running linux. These vulnerabilities only effect M$ stuff running IIS.
2) Judging from the log files this looks like apache, which is not vulnerable to these attacks.
Lastly, Take a look at the entry after the "GET ...." xxx yyyy "-" "-"
xxx is the HTTP code returned by your webserver for that request
yyy is the number of bytes of the response
If you go to:
IETF specifications for HTTP
You will see in chapter 10 a definition of what the response codes mean. Every response either returned 400 or 404. A quick glimpse through the specs and you will see
404 == 404 Not Found
400 == 400 Bad Request
Neither of which indicate success...
Now if this was a different attack and you saw HTTP return 200 (ok), then you should start to worry....
That make sense?
/nebulus
EDIT:
These lines are interesting for two reasons...
line 1: 403 was returned. This is forbidden.
line 2/3 : 200 was returned. This was successful. (no biggy, just downloaded some gifs) <- i think he is trying to test what web server i am running man, my log was all deleted. the powered_by.gif is a gif that shows 'powered by redhat linux' and the the apache_pb.gif is a picture of apache?**** man got spied. how command he used to issue the HTTP command in the telnet?
Line 1: The last dash was replaced by "Mozilla/5.0 ...." . This is the type of browser that was used to access the page, if apache could figure it out. Notice how all those nimda lines end in "-" "-"...that means it couldn't detect a browser version...which means it was probably done either by a worm or someone using something like 'telnet' or 'netcat' to do the connection and then use HTTP commands to get the web page.
EDIT 2:
Man I love apache logs, so much information there (unlike IIS). The last thing of interest from your log files...notice how fast those connections were in your logs. Most of the connections from the ip where done several in the same second, most no more than five seconds apart. This should indicate to you that it was at a minimum automated (it would be difficult from someone to type that fast, if not impossible).
Verdit: Meaningless attacks by nimda infested hosts to which you were not vulnerable. T
so u mean the attacker also runs on Linux baesd on the apache log?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote