Re: Blocking hackers

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Chuck Gelm <nc8q@gelm.net>
To: Phillp Morgan <pmorgan@quickpages.net.au>, linux-newbie@vger.kernel.org
Subject: Re: Blocking hackers
Date: Fri, 21 Jun 2002 16:50:26 -0400	[thread overview]
Message-ID: <3D139192.C63E245C@gelm.net> (raw)
In-Reply-To: 004701c218d7$cf274dd0$0c00a8c0@qpbd103

I get the same thing, Phillp.

It is not a hacker, it is a trojan infected user.
The host owner probably has no idea that his system
is trying to infect your web server with Nimda.

 If you are not running an unpatched version of a
Windows server, you are not vulnerable to this attack.
It consumes very very little bandwidth. ;-)

I use apache. ;-)

 Also watch for 'Code Red'.  Those log file lines
will have a bunch of upper case "N's in them.
ala:
211.218.111.96 - - [08/May/2002:03:15:03 -0400] "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 
HTTP/1.0" 400 316

Again, if your are not running an unpatched Windows server...
 
HTH, Chuck

Phillp Morgan wrote:
> 
> Hi,
> 
> It looks like someone is trying to break into my system. This is out of my
> apache error log...
> 
> >61.243.140.78 - - [21/Jun/2002:13:58:29 +1000] "GET /MSADC/root.exe?/c+dir
> HTTP/1.0" 404 -
> >61.243.140.78 - - [21/Jun/2002:13:58:30 +1000] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
> >61.243.140.78 - - [21/Jun/2002:13:58:31 +1000] "GET
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
> >61.243.140.78 - - [21/Jun/2002:13:58:32 +1000] "GET
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
> >61.243.140.78 - - [21/Jun/2002:13:58:33 +1000] "GET
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+di
> r HTTP/1.0" 404 -
> >61.243.140.78 - - [21/Jun/2002:13:58:34 +1000] "GET
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+di
> r HTTP/1.0" 404 -
> >61.243.140.78 - - [21/Jun/2002:13:58:36 +1000] "GET
> /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../
> winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
> >61.243.140.78 - - [21/Jun/2002:13:58:29 +1000] "GET /MSADC/root.exe?/c+dir
> HTTP/1.0" 404 -
> >61.243.140.78 - - [21/Jun/2002:13:58:30 +1000] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
> >61.243.140.78 - - [21/Jun/2002:13:58:31 +1000] "GET
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
> >61.243.140.78 - - [21/Jun/2002:13:58:32 +1000] "GET
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
> >61.243.140.78 - - [21/Jun/2002:13:58:33 +1000] "GET
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 -
> 
> Is there any way I can block this nasty person?
> 
> Who should I report this to?
> 
> Regards,
> 
> Phillip Morgan
> Chief Information Offier
> Quickpages Business Directories
> ----------------------------------------------------------------------------
> ------------
> This email is intended for the above named recipient only, and may contain
> priveledged information. If you are not the intended recipient please delete
> this email immediately and notify Quickpages of the problem.
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.linux-learn.org/faqs
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

next prev parent reply	other threads:[~2002-06-21 20:50 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2002-06-21  3:57 Blocking hackers Phillp Morgan
2002-06-21  6:26 ` Richard Adams
2002-06-21 20:50 ` Chuck Gelm [this message]
2002-07-12 14:33 ` Benny Pedersen
  -- strict thread matches above, loose matches on Subject: below --
2002-06-21 23:13 Steven.Barrett

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3D139192.C63E245C@gelm.net \
    --to=nc8q@gelm.net \
    --cc=linux-newbie@vger.kernel.org \
    --cc=pmorgan@quickpages.net.au \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.