Blocking hackers

All of lore.kernel.org
 help / color / mirror / Atom feed

* Blocking hackers
@ 2002-06-21  3:57 Phillp Morgan
  2002-06-21  6:26 ` Richard Adams
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: Phillp Morgan @ 2002-06-21  3:57 UTC (permalink / raw)
  To: linux-newbie

Hi,

It looks like someone is trying to break into my system. This is out of my
apache error log...

>61.243.140.78 - - [21/Jun/2002:13:58:29 +1000] "GET /MSADC/root.exe?/c+dir
HTTP/1.0" 404 -
>61.243.140.78 - - [21/Jun/2002:13:58:30 +1000] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
>61.243.140.78 - - [21/Jun/2002:13:58:31 +1000] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
>61.243.140.78 - - [21/Jun/2002:13:58:32 +1000] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
>61.243.140.78 - - [21/Jun/2002:13:58:33 +1000] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+di
r HTTP/1.0" 404 -
>61.243.140.78 - - [21/Jun/2002:13:58:34 +1000] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+di
r HTTP/1.0" 404 -
>61.243.140.78 - - [21/Jun/2002:13:58:36 +1000] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../
winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
>61.243.140.78 - - [21/Jun/2002:13:58:29 +1000] "GET /MSADC/root.exe?/c+dir
HTTP/1.0" 404 -
>61.243.140.78 - - [21/Jun/2002:13:58:30 +1000] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
>61.243.140.78 - - [21/Jun/2002:13:58:31 +1000] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
>61.243.140.78 - - [21/Jun/2002:13:58:32 +1000] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
>61.243.140.78 - - [21/Jun/2002:13:58:33 +1000] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 -

Is there any way I can block this nasty person?

Who should I report this to?

Regards,

Phillip Morgan
Chief Information Offier
Quickpages Business Directories
----------------------------------------------------------------------------
------------
This email is intended for the above named recipient only, and may contain
priveledged information. If you are not the intended recipient please delete
this email immediately and notify Quickpages of the problem.

-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Blocking hackers
  2002-06-21  3:57 Blocking hackers Phillp Morgan
@ 2002-06-21  6:26 ` Richard Adams
  2002-06-21 20:50 ` Chuck Gelm
  2002-07-12 14:33 ` Benny Pedersen
  2 siblings, 0 replies; 5+ messages in thread
From: Richard Adams @ 2002-06-21  6:26 UTC (permalink / raw)
  To: Phillp Morgan, linux-newbie

On Friday 21 June 2002 03:57, Phillp Morgan wrote:
> Hi,
>
> It looks like someone is trying to break into my system. This is out of my
> apache error log...
>
> >61.243.140.78 - - [21/Jun/2002:13:58:29 +1000] "GET /MSADC/root.exe?/c+dir
>
> HTTP/1.0" 404 -
>
> >61.243.140.78 - - [21/Jun/2002:13:58:30 +1000] "GET
>
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
>
> >61.243.140.78 - - [21/Jun/2002:13:58:31 +1000] "GET
>
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
>
> >61.243.140.78 - - [21/Jun/2002:13:58:32 +1000] "GET
>
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
>
> >61.243.140.78 - - [21/Jun/2002:13:58:33 +1000] "GET
>
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+di
> r HTTP/1.0" 404 -
>
> >61.243.140.78 - - [21/Jun/2002:13:58:34 +1000] "GET
>
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+di
> r HTTP/1.0" 404 -
>
> >61.243.140.78 - - [21/Jun/2002:13:58:36 +1000] "GET
>
> /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../
> winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
>
> >61.243.140.78 - - [21/Jun/2002:13:58:29 +1000] "GET /MSADC/root.exe?/c+dir
>
> HTTP/1.0" 404 -
>
> >61.243.140.78 - - [21/Jun/2002:13:58:30 +1000] "GET
>
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
>
> >61.243.140.78 - - [21/Jun/2002:13:58:31 +1000] "GET
>
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
>
> >61.243.140.78 - - [21/Jun/2002:13:58:32 +1000] "GET
>
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
>
> >61.243.140.78 - - [21/Jun/2002:13:58:33 +1000] "GET
>
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 -
>
> Is there any way I can block this nasty person?

Depends on which kernel you use, with a 2.2.x kernel one can use;
/sbin/ipchains -A input -j REJECT -s 61.243.140.78

>
> Who should I report this to?

No idea, all the IP#'s shown with traceroute are unresolveable so who knows 
who he actually is, the last resolvable ip# with traceroute was 
linx01.hkt.net but thats 5 hops before 61.243.140.78.

>
> Regards,
>
> Phillip Morgan
> Chief Information Offier
> Quickpages Business Directories

-- 
Regards Richard
pa3gcu@zeelandnet.nl
http://people.zeelandnet.nl/pa3gcu/

-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Blocking hackers
  2002-06-21  3:57 Blocking hackers Phillp Morgan
  2002-06-21  6:26 ` Richard Adams
@ 2002-06-21 20:50 ` Chuck Gelm
  2002-07-12 14:33 ` Benny Pedersen
  2 siblings, 0 replies; 5+ messages in thread
From: Chuck Gelm @ 2002-06-21 20:50 UTC (permalink / raw)
  To: Phillp Morgan, linux-newbie

I get the same thing, Phillp.

It is not a hacker, it is a trojan infected user.
The host owner probably has no idea that his system
is trying to infect your web server with Nimda.

 If you are not running an unpatched version of a
Windows server, you are not vulnerable to this attack.
It consumes very very little bandwidth. ;-)

I use apache. ;-)

 Also watch for 'Code Red'.  Those log file lines
will have a bunch of upper case "N's in them.
ala:
211.218.111.96 - - [08/May/2002:03:15:03 -0400] "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 
HTTP/1.0" 400 316

Again, if your are not running an unpatched Windows server...
 
HTH, Chuck

Phillp Morgan wrote:
> 
> Hi,
> 
> It looks like someone is trying to break into my system. This is out of my
> apache error log...
> 
> >61.243.140.78 - - [21/Jun/2002:13:58:29 +1000] "GET /MSADC/root.exe?/c+dir
> HTTP/1.0" 404 -
> >61.243.140.78 - - [21/Jun/2002:13:58:30 +1000] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
> >61.243.140.78 - - [21/Jun/2002:13:58:31 +1000] "GET
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
> >61.243.140.78 - - [21/Jun/2002:13:58:32 +1000] "GET
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
> >61.243.140.78 - - [21/Jun/2002:13:58:33 +1000] "GET
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+di
> r HTTP/1.0" 404 -
> >61.243.140.78 - - [21/Jun/2002:13:58:34 +1000] "GET
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+di
> r HTTP/1.0" 404 -
> >61.243.140.78 - - [21/Jun/2002:13:58:36 +1000] "GET
> /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../
> winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
> >61.243.140.78 - - [21/Jun/2002:13:58:29 +1000] "GET /MSADC/root.exe?/c+dir
> HTTP/1.0" 404 -
> >61.243.140.78 - - [21/Jun/2002:13:58:30 +1000] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
> >61.243.140.78 - - [21/Jun/2002:13:58:31 +1000] "GET
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
> >61.243.140.78 - - [21/Jun/2002:13:58:32 +1000] "GET
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
> >61.243.140.78 - - [21/Jun/2002:13:58:33 +1000] "GET
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 -
> 
> Is there any way I can block this nasty person?
> 
> Who should I report this to?
> 
> Regards,
> 
> Phillip Morgan
> Chief Information Offier
> Quickpages Business Directories
> ----------------------------------------------------------------------------
> ------------
> This email is intended for the above named recipient only, and may contain
> priveledged information. If you are not the intended recipient please delete
> this email immediately and notify Quickpages of the problem.
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.linux-learn.org/faqs
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

^ permalink raw reply	[flat|nested] 5+ messages in thread

* RE: Blocking hackers
@ 2002-06-21 23:13 Steven.Barrett
  0 siblings, 0 replies; 5+ messages in thread
From: Steven.Barrett @ 2002-06-21 23:13 UTC (permalink / raw)
  To: linux-newbie

Related to Apache and hacking - ExtremeTech issued an update to an Apache
security problem they reported on June 17th.  Apparently the problem is more
serious than first reported.  On Intel based machines running various
flavors of Unix (including Linux) a hacker may be able to gain root access.
The report also says that the problem is even more serious (if it could be)
on MS systems running Apache.  They recommend patching immediately and gave
the following URLs for further information:

http://extreme.ziffdavis.com/cgi-bin10/flo?y=eQuz0CzBSD0FBU0oGS0Ad
http://extreme.ziffdavis.com/cgi-bin10/flo?y=eQuz0CzBSD0FBU0oGT0Ae
http://extreme.ziffdavis.com/cgi-bin10/flo?y=eQuz0CzBSD0FBU0oGU0Af
http://extreme.ziffdavis.com/cgi-bin10/flo?y=eQuz0CzBSD0FBU0oGV0Ag

You should be able to find the complete article, "Security Alert:  Apache
hole allows root access", at www.extremetech.com.
  
Steve

> -----Original Message-----
> From: Chuck Gelm [mailto:nc8q@gelm.net]
> Sent: Friday, June 21, 2002 3:50 PM
> To: Phillp Morgan; linux-newbie@vger.kernel.org
> Subject: Re: Blocking hackers
> 
> 
> I get the same thing, Phillp.
> 
> It is not a hacker, it is a trojan infected user.
> The host owner probably has no idea that his system
> is trying to infect your web server with Nimda.
> 
>  If you are not running an unpatched version of a
> Windows server, you are not vulnerable to this attack.
> It consumes very very little bandwidth. ;-)
> 
> I use apache. ;-)
> 
>  Also watch for 'Code Red'.  Those log file lines
> will have a bunch of upper case "N's in them.
> ala:
> 211.218.111.96 - - [08/May/2002:03:15:03 -0400] "GET
> /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNN>
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u780
> 1%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%
> u531b%u53ff%u0078%u0000%u00=a 
> HTTP/1.0" 400 316
> 
> Again, if your are not running an unpatched Windows server...
>  
> HTH, Chuck
> 
> Phillp Morgan wrote:
> > 
> > Hi,
> > 
> > It looks like someone is trying to break into my system. 
> This is out of my
> > apache error log...
> > 
> > >61.243.140.78 - - [21/Jun/2002:13:58:29 +1000] "GET 
> /MSADC/root.exe?/c+dir
> > HTTP/1.0" 404 -
> > >61.243.140.78 - - [21/Jun/2002:13:58:30 +1000] "GET
> > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
> > >61.243.140.78 - - [21/Jun/2002:13:58:31 +1000] "GET
> > /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
> > >61.243.140.78 - - [21/Jun/2002:13:58:32 +1000] "GET
> > /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
> > >61.243.140.78 - - [21/Jun/2002:13:58:33 +1000] "GET
> > /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+di
> > r HTTP/1.0" 404 -
> > >61.243.140.78 - - [21/Jun/2002:13:58:34 +1000] "GET
> > /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+di
> > r HTTP/1.0" 404 -
> > >61.243.140.78 - - [21/Jun/2002:13:58:36 +1000] "GET
> > /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../
> > winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
> > >61.243.140.78 - - [21/Jun/2002:13:58:29 +1000] "GET 
> /MSADC/root.exe?/c+dir
> > HTTP/1.0" 404 -
> > >61.243.140.78 - - [21/Jun/2002:13:58:30 +1000] "GET
> > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
> > >61.243.140.78 - - [21/Jun/2002:13:58:31 +1000] "GET
> > /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
> > >61.243.140.78 - - [21/Jun/2002:13:58:32 +1000] "GET
> > /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
> > >61.243.140.78 - - [21/Jun/2002:13:58:33 +1000] "GET
> > 
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> > HTTP/1.0" 404 -
> > 
> > Is there any way I can block this nasty person?
> > 
> > Who should I report this to?
> > 
> > Regards,
> > 
> > Phillip Morgan
> > Chief Information Offier
> > Quickpages Business Directories
> > 
> --------------------------------------------------------------
> --------------
> > ------------
> > This email is intended for the above named recipient only, 
> and may contain
> > priveledged information. If you are not the intended 
> recipient please delete
> > this email immediately and notify Quickpages of the problem.
> > 
> > -
> > To unsubscribe from this list: send the line "unsubscribe 
> linux-newbie" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> > Please read the FAQ at http://www.linux-learn.org/faqs
> -
> To unsubscribe from this list: send the line "unsubscribe 
> linux-newbie" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.linux-learn.org/faqs
> 
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Blocking hackers
  2002-06-21  3:57 Blocking hackers Phillp Morgan
  2002-06-21  6:26 ` Richard Adams
  2002-06-21 20:50 ` Chuck Gelm
@ 2002-07-12 14:33 ` Benny Pedersen
  2 siblings, 0 replies; 5+ messages in thread
From: Benny Pedersen @ 2002-07-12 14:33 UTC (permalink / raw)
  To: linux-newbie

Originally to: Phillp Morgan

Hi Phillp Morgan

you wrote about "Blocking hackers":


 PM> It looks like someone is trying to break into my system. This is
 PM> out of my apache error log...

>> 61.243.140.78 - - [21/Jun/2002:13:58:29 +1000] "GET
>> /MSADC/root.exe?/c+dir

this is code red (virus on this computer)

i will make a perl script that scans for root.exe or cmd.exe or simply
just .exe and put this ip in my firewall and last put it on a page so
others can see ip i have the ip blocked, well i can do this but i
just dont since its bad behavior :-)

 PM> Is there any way I can block this nasty person?

block the ip from your firewall

 PM> Who should I report this to?

your isp in the abuse team


 Benny Pedersen  http://fido.juncorg.dk/  icq:36248146


...Today is the day you worried about yesterday.

<-> Gateway Information.
This message originated from a Fidonet System (http://www.fidonet.org)
and was gated at TCOB1 (http://www.tcob1.net)
Please do not respond direct to this message but via the list


-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2002-07-12 14:33 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-06-21  3:57 Blocking hackers Phillp Morgan
2002-06-21  6:26 ` Richard Adams
2002-06-21 20:50 ` Chuck Gelm
2002-07-12 14:33 ` Benny Pedersen
  -- strict thread matches above, loose matches on Subject: below --
2002-06-21 23:13 Steven.Barrett

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.