RE: Blocking hackers - Thanks

RE: Blocking hackers - Thanks

[Phillp Morgan]

Thanks for your advice guyz.


> -----Original Message-----
> From: Joseph Jackson [mailto:skoidat@lvcm.com]
> Sent: Friday, 21 June 2002 4:31 PM
> To: Phillp Morgan
> Subject: Re: Blocking hackers
> 
> 
> Phillp Morgan wrote:
> 
> > Hi,
> > 
> > It looks like someone is trying to break into my system. 
> This is out of my
> > apache error log...
> > 
> > 
> >>61.243.140.78 - - [21/Jun/2002:13:58:29 +1000] "GET 
> /MSADC/root.exe?/c+dir
> >>
> > HTTP/1.0" 404 -
> > 
> >>61.243.140.78 - - [21/Jun/2002:13:58:30 +1000] "GET
> >>
> > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
> > 
> >>61.243.140.78 - - [21/Jun/2002:13:58:31 +1000] "GET
> >>
> > /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
> > 
> >>61.243.140.78 - - [21/Jun/2002:13:58:32 +1000] "GET
> >>
> > /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
> > 
> >>61.243.140.78 - - [21/Jun/2002:13:58:33 +1000] "GET
> >>
> > /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+di
> > r HTTP/1.0" 404 -
> > 
> >>61.243.140.78 - - [21/Jun/2002:13:58:34 +1000] "GET
> >>
> > /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+di
> > r HTTP/1.0" 404 -
> > 
> >>61.243.140.78 - - [21/Jun/2002:13:58:36 +1000] "GET
> >>
> > /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../
> > winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
> > 
> >>61.243.140.78 - - [21/Jun/2002:13:58:29 +1000] "GET 
> /MSADC/root.exe?/c+dir
> >>
> > HTTP/1.0" 404 -
> > 
> >>61.243.140.78 - - [21/Jun/2002:13:58:30 +1000] "GET
> >>
> > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
> > 
> >>61.243.140.78 - - [21/Jun/2002:13:58:31 +1000] "GET
> >>
> > /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
> > 
> >>61.243.140.78 - - [21/Jun/2002:13:58:32 +1000] "GET
> >>
> > /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
> > 
> >>61.243.140.78 - - [21/Jun/2002:13:58:33 +1000] "GET
> >>
> > 
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> > HTTP/1.0" 404 -
> 
> 
> This is the pattern of the CodeRed virus that was going 
> around the net a few 
> months ago.  You are safe from it of course since it is 
> targeted at windows 
> machines running unpatched versions of IIS.
> 
> 
> 
> 
> 
> > 
> > Is there any way I can block this nasty person?
> > 
> > Who should I report this to?
> > 
> 
> 
> 
> As to who you should report this to I did a lookup on the ip 
> address and this is the data
> 
> 
> 
> Search the APNIC Whois database
> Search results for '61.243.140.78'
> 
> inetnum              61.240.0.0 - 61.243.255.255
> netname              UNICOM
> descr                China United Telecommunications Corporation
> descr                Beijing Railway Station East Avenue
> country              CN
> admin-c              RX9-AP, inverse
> tech-c               RX9-AP, inverse
> mnt-by               MAINT-CNNIC-AP, inverse
> mnt-lower            MAINT-CN-CNNIC-UNICOM, inverse
> changed              hostmaster@apnic.net 20010817
> changed              ipas@cnnic.net.cn 20010828
> source               APNIC
> 
> 
> Since it seems to come from a user in China I doubt there is 
> anything at all you could do.
> 
> Even tring to get ahold of the system admins in China is very 
> very hard.  I 
> wouldn't worry about it at all it looks like a random scan of 
> your domain and 
> from a client that is set up to scan whole ranges of 
> addresses no worries.
> 
> 
> 
> Joseph Jackson
> 
> 
> 
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

RE: Blocking hackers - Thanks

[Chris Omland]

Ya I get this on my apache server at work a lot to. While this could be
code red it could also be a dumbass idiot...you'd think people would do a
little homework first to find out if the server they are trying to
"hack" is running IIS or apache....*sigh*
-Chris

On Fri, 21 Jun 2002, Phillp Morgan wrote:

> Thanks for your advice guyz.
> 
> 
> > -----Original Message-----
> > From: Joseph Jackson [mailto:skoidat@lvcm.com]
> > Sent: Friday, 21 June 2002 4:31 PM
> > To: Phillp Morgan
> > Subject: Re: Blocking hackers
> > 
> > 
> > Phillp Morgan wrote:
> > 
> > > Hi,
> > > 
> > > It looks like someone is trying to break into my system. 
> > This is out of my
> > > apache error log...
> > > 
> > > 
> > >>61.243.140.78 - - [21/Jun/2002:13:58:29 +1000] "GET 
> > /MSADC/root.exe?/c+dir
> > >>
> > > HTTP/1.0" 404 -
> > > 
> > >>61.243.140.78 - - [21/Jun/2002:13:58:30 +1000] "GET
> > >>
> > > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
> > > 
> > >>61.243.140.78 - - [21/Jun/2002:13:58:31 +1000] "GET
> > >>
> > > /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
> > > 
> > >>61.243.140.78 - - [21/Jun/2002:13:58:32 +1000] "GET
> > >>
> > > /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
> > > 
> > >>61.243.140.78 - - [21/Jun/2002:13:58:33 +1000] "GET
> > >>
> > > /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+di
> > > r HTTP/1.0" 404 -
> > > 
> > >>61.243.140.78 - - [21/Jun/2002:13:58:34 +1000] "GET
> > >>
> > > /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+di
> > > r HTTP/1.0" 404 -
> > > 
> > >>61.243.140.78 - - [21/Jun/2002:13:58:36 +1000] "GET
> > >>
> > > /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../
> > > winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
> > > 
> > >>61.243.140.78 - - [21/Jun/2002:13:58:29 +1000] "GET 
> > /MSADC/root.exe?/c+dir
> > >>
> > > HTTP/1.0" 404 -
> > > 
> > >>61.243.140.78 - - [21/Jun/2002:13:58:30 +1000] "GET
> > >>
> > > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
> > > 
> > >>61.243.140.78 - - [21/Jun/2002:13:58:31 +1000] "GET
> > >>
> > > /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
> > > 
> > >>61.243.140.78 - - [21/Jun/2002:13:58:32 +1000] "GET
> > >>
> > > /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
> > > 
> > >>61.243.140.78 - - [21/Jun/2002:13:58:33 +1000] "GET
> > >>
> > > 
> > /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> > > HTTP/1.0" 404 -
> > 
> > 
> > This is the pattern of the CodeRed virus that was going 
> > around the net a few 
> > months ago.  You are safe from it of course since it is 
> > targeted at windows 
> > machines running unpatched versions of IIS.
> > 
> > 
> > 
> > 
> > 
> > > 
> > > Is there any way I can block this nasty person?
> > > 
> > > Who should I report this to?
> > > 
> > 
> > 
> > 
> > As to who you should report this to I did a lookup on the ip 
> > address and this is the data
> > 
> > 
> > 
> > Search the APNIC Whois database
> > Search results for '61.243.140.78'
> > 
> > inetnum              61.240.0.0 - 61.243.255.255
> > netname              UNICOM
> > descr                China United Telecommunications Corporation
> > descr                Beijing Railway Station East Avenue
> > country              CN
> > admin-c              RX9-AP, inverse
> > tech-c               RX9-AP, inverse
> > mnt-by               MAINT-CNNIC-AP, inverse
> > mnt-lower            MAINT-CN-CNNIC-UNICOM, inverse
> > changed              hostmaster@apnic.net 20010817
> > changed              ipas@cnnic.net.cn 20010828
> > source               APNIC
> > 
> > 
> > Since it seems to come from a user in China I doubt there is 
> > anything at all you could do.
> > 
> > Even tring to get ahold of the system admins in China is very 
> > very hard.  I 
> > wouldn't worry about it at all it looks like a random scan of 
> > your domain and 
> > from a client that is set up to scan whole ranges of 
> > addresses no worries.
> > 
> > 
> > 
> > Joseph Jackson
> > 
> > 
> > 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.linux-learn.org/faqs
> 

-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: Blocking hackers - Thanks

[Joseph Jackson]

Chris Omland wrote:

> Ya I get this on my apache server at work a lot to. While this could be
> code red it could also be a dumbass idiot...you'd think people would do a
> little homework first to find out if the server they are trying to
> "hack" is running IIS or apache....*sigh*
> -Chris
> 


  It is most likely a random scan of an entire range of ip addresses so they are 
just tring to find one out of the thousands that they do scan that is open to 
that hole.  I wouldn't worry about random scans you have to start worrying when 
you see scans from the same host over and over attacking your machines in a 
human like way.







> On Fri, 21 Jun 2002, Phillp Morgan wrote:
> 
> 
>>Thanks for your advice guyz.
>>
>>
>>
>>>-----Original Message-----
>>>From: Joseph Jackson [mailto:skoidat@lvcm.com]
>>>Sent: Friday, 21 June 2002 4:31 PM
>>>To: Phillp Morgan
>>>Subject: Re: Blocking hackers
>>>
>>>
>>>Phillp Morgan wrote:
>>>
>>>
>>>>Hi,
>>>>
>>>>It looks like someone is trying to break into my system. 
>>>>
>>>This is out of my
>>>
>>>>apache error log...
>>>>
>>>>
>>>>
>>>>>61.243.140.78 - - [21/Jun/2002:13:58:29 +1000] "GET 
>>>>>
>>>/MSADC/root.exe?/c+dir
>>>
>>>>HTTP/1.0" 404 -
>>>>
>>>>
>>>>>61.243.140.78 - - [21/Jun/2002:13:58:30 +1000] "GET
>>>>>
>>>>>
>>>>/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
>>>>
>>>>
>>>>>61.243.140.78 - - [21/Jun/2002:13:58:31 +1000] "GET
>>>>>
>>>>>
>>>>/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
>>>>
>>>>
>>>>>61.243.140.78 - - [21/Jun/2002:13:58:32 +1000] "GET
>>>>>
>>>>>
>>>>/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
>>>>
>>>>
>>>>>61.243.140.78 - - [21/Jun/2002:13:58:33 +1000] "GET
>>>>>
>>>>>
>>>>/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+di
>>>>r HTTP/1.0" 404 -
>>>>
>>>>
>>>>>61.243.140.78 - - [21/Jun/2002:13:58:34 +1000] "GET
>>>>>
>>>>>
>>>>/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+di
>>>>r HTTP/1.0" 404 -
>>>>
>>>>
>>>>>61.243.140.78 - - [21/Jun/2002:13:58:36 +1000] "GET
>>>>>
>>>>>
>>>>/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../
>>>>winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
>>>>
>>>>
>>>>>61.243.140.78 - - [21/Jun/2002:13:58:29 +1000] "GET 
>>>>>
>>>/MSADC/root.exe?/c+dir
>>>
>>>>HTTP/1.0" 404 -
>>>>
>>>>
>>>>>61.243.140.78 - - [21/Jun/2002:13:58:30 +1000] "GET
>>>>>
>>>>>
>>>>/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
>>>>
>>>>
>>>>>61.243.140.78 - - [21/Jun/2002:13:58:31 +1000] "GET
>>>>>
>>>>>
>>>>/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
>>>>
>>>>
>>>>>61.243.140.78 - - [21/Jun/2002:13:58:32 +1000] "GET
>>>>>
>>>>>
>>>>/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
>>>>
>>>>
>>>>>61.243.140.78 - - [21/Jun/2002:13:58:33 +1000] "GET
>>>>>
>>>>>
>>>/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
>>>
>>>>HTTP/1.0" 404 -
>>>>
>>>
>>>This is the pattern of the CodeRed virus that was going 
>>>around the net a few 
>>>months ago.  You are safe from it of course since it is 
>>>targeted at windows 
>>>machines running unpatched versions of IIS.
>>>
>>>
>>>
>>>
>>>
>>>
>>>>Is there any way I can block this nasty person?
>>>>
>>>>Who should I report this to?
>>>>
>>>>
>>>
>>>
>>>As to who you should report this to I did a lookup on the ip 
>>>address and this is the data
>>>
>>>
>>>
>>>Search the APNIC Whois database
>>>Search results for '61.243.140.78'
>>>
>>>inetnum              61.240.0.0 - 61.243.255.255
>>>netname              UNICOM
>>>descr                China United Telecommunications Corporation
>>>descr                Beijing Railway Station East Avenue
>>>country              CN
>>>admin-c              RX9-AP, inverse
>>>tech-c               RX9-AP, inverse
>>>mnt-by               MAINT-CNNIC-AP, inverse
>>>mnt-lower            MAINT-CN-CNNIC-UNICOM, inverse
>>>changed              hostmaster@apnic.net 20010817
>>>changed              ipas@cnnic.net.cn 20010828
>>>source               APNIC
>>>
>>>
>>>Since it seems to come from a user in China I doubt there is 
>>>anything at all you could do.
>>>
>>>Even tring to get ahold of the system admins in China is very 
>>>very hard.  I 
>>>wouldn't worry about it at all it looks like a random scan of 
>>>your domain and 
>>>from a client that is set up to scan whole ranges of 
>>>addresses no worries.
>>>
>>>
>>>
>>>Joseph Jackson
>>>
>>>
>>>
>>>
>>-
>>To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
>>the body of a message to majordomo@vger.kernel.org
>>More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>Please read the FAQ at http://www.linux-learn.org/faqs
>>
>>
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.linux-learn.org/faqs
> 
> 



-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

ssh question

[Chris Omland]

Hi I was wondering if anyone can help me out with an ssh problem. I
basically have numerous computers that I need to log into both as myself
and as root. I know its possible using keys to set things up so that when
I ssh from my main machine to another it uses the keys and I don't need to
enter my password. I'm assuming this will be ok even with NIS/NFS running
on all the machines? I've read a bunch of stuff online and tried using
ssh-keygen and stuff, but can't seem to get the desired results. I guess
if I can just start so I don't need to enter my password that would be
great and then down the road, set up so root can do it?? 
Thanks.
-Chris


-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs