From mboxrd@z Thu Jan 1 00:00:00 1970 From: Joseph Jackson Subject: [Fwd: Re: Blocking hackers] Date: Thu, 20 Jun 2002 23:33:20 -0700 Sender: linux-newbie-owner@vger.kernel.org Message-ID: <3D12C8B0.9020702@lvcm.com> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: List-Id: Content-Type: text/plain; charset="us-ascii"; format="flowed" To: linux-newbie@vger.kernel.org Phillp Morgan wrote: > Hi, > > It looks like someone is trying to break into my system. This is out of my > apache error log... > > >>61.243.140.78 - - [21/Jun/2002:13:58:29 +1000] "GET /MSADC/root.exe?/c+dir >> > HTTP/1.0" 404 - > >>61.243.140.78 - - [21/Jun/2002:13:58:30 +1000] "GET >> > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - > >>61.243.140.78 - - [21/Jun/2002:13:58:31 +1000] "GET >> > /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - > >>61.243.140.78 - - [21/Jun/2002:13:58:32 +1000] "GET >> > /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - > >>61.243.140.78 - - [21/Jun/2002:13:58:33 +1000] "GET >> > /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+di > r HTTP/1.0" 404 - > >>61.243.140.78 - - [21/Jun/2002:13:58:34 +1000] "GET >> > /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+di > r HTTP/1.0" 404 - > >>61.243.140.78 - - [21/Jun/2002:13:58:36 +1000] "GET >> > /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../ > winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - > >>61.243.140.78 - - [21/Jun/2002:13:58:29 +1000] "GET /MSADC/root.exe?/c+dir >> > HTTP/1.0" 404 - > >>61.243.140.78 - - [21/Jun/2002:13:58:30 +1000] "GET >> > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - > >>61.243.140.78 - - [21/Jun/2002:13:58:31 +1000] "GET >> > /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - > >>61.243.140.78 - - [21/Jun/2002:13:58:32 +1000] "GET >> > /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - > >>61.243.140.78 - - [21/Jun/2002:13:58:33 +1000] "GET >> > /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir > HTTP/1.0" 404 - This is the pattern of the CodeRed virus that was going around the net a few months ago. You are safe from it of course since it is targeted at windows machines running unpatched versions of IIS. > > Is there any way I can block this nasty person? > > Who should I report this to? > As to who you should report this to I did a lookup on the ip address and this is the data Search the APNIC Whois database Search results for '61.243.140.78' inetnum 61.240.0.0 - 61.243.255.255 netname UNICOM descr China United Telecommunications Corporation descr Beijing Railway Station East Avenue country CN admin-c RX9-AP, inverse tech-c RX9-AP, inverse mnt-by MAINT-CNNIC-AP, inverse mnt-lower MAINT-CN-CNNIC-UNICOM, inverse changed hostmaster@apnic.net 20010817 changed ipas@cnnic.net.cn 20010828 source APNIC Since it seems to come from a user in China I doubt there is anything at all you could do. Even tring to get ahold of the system admins in China is very very hard. I wouldn't worry about it at all it looks like a random scan of your domain and from a client that is set up to scan whole ranges of addresses no worries. Joseph Jackson - To unsubscribe from this list: send the line "unsubscribe linux-newbie" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.linux-learn.org/faqs