* RE: Blocking hackers - Thanks [not found] <3D12C817.60409@lvcm.com> @ 2002-06-21 6:35 ` Phillp Morgan 2002-06-21 18:11 ` Chris Omland 0 siblings, 1 reply; 4+ messages in thread From: Phillp Morgan @ 2002-06-21 6:35 UTC (permalink / raw) To: linux-newbie Thanks for your advice guyz. > -----Original Message----- > From: Joseph Jackson [mailto:skoidat@lvcm.com] > Sent: Friday, 21 June 2002 4:31 PM > To: Phillp Morgan > Subject: Re: Blocking hackers > > > Phillp Morgan wrote: > > > Hi, > > > > It looks like someone is trying to break into my system. > This is out of my > > apache error log... > > > > > >>61.243.140.78 - - [21/Jun/2002:13:58:29 +1000] "GET > /MSADC/root.exe?/c+dir > >> > > HTTP/1.0" 404 - > > > >>61.243.140.78 - - [21/Jun/2002:13:58:30 +1000] "GET > >> > > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - > > > >>61.243.140.78 - - [21/Jun/2002:13:58:31 +1000] "GET > >> > > /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - > > > >>61.243.140.78 - - [21/Jun/2002:13:58:32 +1000] "GET > >> > > /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - > > > >>61.243.140.78 - - [21/Jun/2002:13:58:33 +1000] "GET > >> > > /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+di > > r HTTP/1.0" 404 - > > > >>61.243.140.78 - - [21/Jun/2002:13:58:34 +1000] "GET > >> > > /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+di > > r HTTP/1.0" 404 - > > > >>61.243.140.78 - - [21/Jun/2002:13:58:36 +1000] "GET > >> > > /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../ > > winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - > > > >>61.243.140.78 - - [21/Jun/2002:13:58:29 +1000] "GET > /MSADC/root.exe?/c+dir > >> > > HTTP/1.0" 404 - > > > >>61.243.140.78 - - [21/Jun/2002:13:58:30 +1000] "GET > >> > > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - > > > >>61.243.140.78 - - [21/Jun/2002:13:58:31 +1000] "GET > >> > > /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - > > > >>61.243.140.78 - - [21/Jun/2002:13:58:32 +1000] "GET > >> > > /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - > > > >>61.243.140.78 - - [21/Jun/2002:13:58:33 +1000] "GET > >> > > > /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir > > HTTP/1.0" 404 - > > > This is the pattern of the CodeRed virus that was going > around the net a few > months ago. You are safe from it of course since it is > targeted at windows > machines running unpatched versions of IIS. > > > > > > > > > Is there any way I can block this nasty person? > > > > Who should I report this to? > > > > > > As to who you should report this to I did a lookup on the ip > address and this is the data > > > > Search the APNIC Whois database > Search results for '61.243.140.78' > > inetnum 61.240.0.0 - 61.243.255.255 > netname UNICOM > descr China United Telecommunications Corporation > descr Beijing Railway Station East Avenue > country CN > admin-c RX9-AP, inverse > tech-c RX9-AP, inverse > mnt-by MAINT-CNNIC-AP, inverse > mnt-lower MAINT-CN-CNNIC-UNICOM, inverse > changed hostmaster@apnic.net 20010817 > changed ipas@cnnic.net.cn 20010828 > source APNIC > > > Since it seems to come from a user in China I doubt there is > anything at all you could do. > > Even tring to get ahold of the system admins in China is very > very hard. I > wouldn't worry about it at all it looks like a random scan of > your domain and > from a client that is set up to scan whole ranges of > addresses no worries. > > > > Joseph Jackson > > > - To unsubscribe from this list: send the line "unsubscribe linux-newbie" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.linux-learn.org/faqs ^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: Blocking hackers - Thanks 2002-06-21 6:35 ` Blocking hackers - Thanks Phillp Morgan @ 2002-06-21 18:11 ` Chris Omland 2002-06-21 18:21 ` Joseph Jackson 0 siblings, 1 reply; 4+ messages in thread From: Chris Omland @ 2002-06-21 18:11 UTC (permalink / raw) To: Phillp Morgan; +Cc: linux-newbie Ya I get this on my apache server at work a lot to. While this could be code red it could also be a dumbass idiot...you'd think people would do a little homework first to find out if the server they are trying to "hack" is running IIS or apache....*sigh* -Chris On Fri, 21 Jun 2002, Phillp Morgan wrote: > Thanks for your advice guyz. > > > > -----Original Message----- > > From: Joseph Jackson [mailto:skoidat@lvcm.com] > > Sent: Friday, 21 June 2002 4:31 PM > > To: Phillp Morgan > > Subject: Re: Blocking hackers > > > > > > Phillp Morgan wrote: > > > > > Hi, > > > > > > It looks like someone is trying to break into my system. > > This is out of my > > > apache error log... > > > > > > > > >>61.243.140.78 - - [21/Jun/2002:13:58:29 +1000] "GET > > /MSADC/root.exe?/c+dir > > >> > > > HTTP/1.0" 404 - > > > > > >>61.243.140.78 - - [21/Jun/2002:13:58:30 +1000] "GET > > >> > > > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - > > > > > >>61.243.140.78 - - [21/Jun/2002:13:58:31 +1000] "GET > > >> > > > /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - > > > > > >>61.243.140.78 - - [21/Jun/2002:13:58:32 +1000] "GET > > >> > > > /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - > > > > > >>61.243.140.78 - - [21/Jun/2002:13:58:33 +1000] "GET > > >> > > > /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+di > > > r HTTP/1.0" 404 - > > > > > >>61.243.140.78 - - [21/Jun/2002:13:58:34 +1000] "GET > > >> > > > /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+di > > > r HTTP/1.0" 404 - > > > > > >>61.243.140.78 - - [21/Jun/2002:13:58:36 +1000] "GET > > >> > > > /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../ > > > winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - > > > > > >>61.243.140.78 - - [21/Jun/2002:13:58:29 +1000] "GET > > /MSADC/root.exe?/c+dir > > >> > > > HTTP/1.0" 404 - > > > > > >>61.243.140.78 - - [21/Jun/2002:13:58:30 +1000] "GET > > >> > > > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - > > > > > >>61.243.140.78 - - [21/Jun/2002:13:58:31 +1000] "GET > > >> > > > /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - > > > > > >>61.243.140.78 - - [21/Jun/2002:13:58:32 +1000] "GET > > >> > > > /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - > > > > > >>61.243.140.78 - - [21/Jun/2002:13:58:33 +1000] "GET > > >> > > > > > /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir > > > HTTP/1.0" 404 - > > > > > > This is the pattern of the CodeRed virus that was going > > around the net a few > > months ago. You are safe from it of course since it is > > targeted at windows > > machines running unpatched versions of IIS. > > > > > > > > > > > > > > > > Is there any way I can block this nasty person? > > > > > > Who should I report this to? > > > > > > > > > > > As to who you should report this to I did a lookup on the ip > > address and this is the data > > > > > > > > Search the APNIC Whois database > > Search results for '61.243.140.78' > > > > inetnum 61.240.0.0 - 61.243.255.255 > > netname UNICOM > > descr China United Telecommunications Corporation > > descr Beijing Railway Station East Avenue > > country CN > > admin-c RX9-AP, inverse > > tech-c RX9-AP, inverse > > mnt-by MAINT-CNNIC-AP, inverse > > mnt-lower MAINT-CN-CNNIC-UNICOM, inverse > > changed hostmaster@apnic.net 20010817 > > changed ipas@cnnic.net.cn 20010828 > > source APNIC > > > > > > Since it seems to come from a user in China I doubt there is > > anything at all you could do. > > > > Even tring to get ahold of the system admins in China is very > > very hard. I > > wouldn't worry about it at all it looks like a random scan of > > your domain and > > from a client that is set up to scan whole ranges of > > addresses no worries. > > > > > > > > Joseph Jackson > > > > > > > - > To unsubscribe from this list: send the line "unsubscribe linux-newbie" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.linux-learn.org/faqs > - To unsubscribe from this list: send the line "unsubscribe linux-newbie" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.linux-learn.org/faqs ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Blocking hackers - Thanks 2002-06-21 18:11 ` Chris Omland @ 2002-06-21 18:21 ` Joseph Jackson 2002-06-21 18:56 ` ssh question Chris Omland 0 siblings, 1 reply; 4+ messages in thread From: Joseph Jackson @ 2002-06-21 18:21 UTC (permalink / raw) To: Chris Omland; +Cc: Phillp Morgan, linux-newbie Chris Omland wrote: > Ya I get this on my apache server at work a lot to. While this could be > code red it could also be a dumbass idiot...you'd think people would do a > little homework first to find out if the server they are trying to > "hack" is running IIS or apache....*sigh* > -Chris > It is most likely a random scan of an entire range of ip addresses so they are just tring to find one out of the thousands that they do scan that is open to that hole. I wouldn't worry about random scans you have to start worrying when you see scans from the same host over and over attacking your machines in a human like way. > On Fri, 21 Jun 2002, Phillp Morgan wrote: > > >>Thanks for your advice guyz. >> >> >> >>>-----Original Message----- >>>From: Joseph Jackson [mailto:skoidat@lvcm.com] >>>Sent: Friday, 21 June 2002 4:31 PM >>>To: Phillp Morgan >>>Subject: Re: Blocking hackers >>> >>> >>>Phillp Morgan wrote: >>> >>> >>>>Hi, >>>> >>>>It looks like someone is trying to break into my system. >>>> >>>This is out of my >>> >>>>apache error log... >>>> >>>> >>>> >>>>>61.243.140.78 - - [21/Jun/2002:13:58:29 +1000] "GET >>>>> >>>/MSADC/root.exe?/c+dir >>> >>>>HTTP/1.0" 404 - >>>> >>>> >>>>>61.243.140.78 - - [21/Jun/2002:13:58:30 +1000] "GET >>>>> >>>>> >>>>/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - >>>> >>>> >>>>>61.243.140.78 - - [21/Jun/2002:13:58:31 +1000] "GET >>>>> >>>>> >>>>/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - >>>> >>>> >>>>>61.243.140.78 - - [21/Jun/2002:13:58:32 +1000] "GET >>>>> >>>>> >>>>/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - >>>> >>>> >>>>>61.243.140.78 - - [21/Jun/2002:13:58:33 +1000] "GET >>>>> >>>>> >>>>/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+di >>>>r HTTP/1.0" 404 - >>>> >>>> >>>>>61.243.140.78 - - [21/Jun/2002:13:58:34 +1000] "GET >>>>> >>>>> >>>>/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+di >>>>r HTTP/1.0" 404 - >>>> >>>> >>>>>61.243.140.78 - - [21/Jun/2002:13:58:36 +1000] "GET >>>>> >>>>> >>>>/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../ >>>>winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - >>>> >>>> >>>>>61.243.140.78 - - [21/Jun/2002:13:58:29 +1000] "GET >>>>> >>>/MSADC/root.exe?/c+dir >>> >>>>HTTP/1.0" 404 - >>>> >>>> >>>>>61.243.140.78 - - [21/Jun/2002:13:58:30 +1000] "GET >>>>> >>>>> >>>>/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - >>>> >>>> >>>>>61.243.140.78 - - [21/Jun/2002:13:58:31 +1000] "GET >>>>> >>>>> >>>>/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - >>>> >>>> >>>>>61.243.140.78 - - [21/Jun/2002:13:58:32 +1000] "GET >>>>> >>>>> >>>>/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - >>>> >>>> >>>>>61.243.140.78 - - [21/Jun/2002:13:58:33 +1000] "GET >>>>> >>>>> >>>/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir >>> >>>>HTTP/1.0" 404 - >>>> >>> >>>This is the pattern of the CodeRed virus that was going >>>around the net a few >>>months ago. You are safe from it of course since it is >>>targeted at windows >>>machines running unpatched versions of IIS. >>> >>> >>> >>> >>> >>> >>>>Is there any way I can block this nasty person? >>>> >>>>Who should I report this to? >>>> >>>> >>> >>> >>>As to who you should report this to I did a lookup on the ip >>>address and this is the data >>> >>> >>> >>>Search the APNIC Whois database >>>Search results for '61.243.140.78' >>> >>>inetnum 61.240.0.0 - 61.243.255.255 >>>netname UNICOM >>>descr China United Telecommunications Corporation >>>descr Beijing Railway Station East Avenue >>>country CN >>>admin-c RX9-AP, inverse >>>tech-c RX9-AP, inverse >>>mnt-by MAINT-CNNIC-AP, inverse >>>mnt-lower MAINT-CN-CNNIC-UNICOM, inverse >>>changed hostmaster@apnic.net 20010817 >>>changed ipas@cnnic.net.cn 20010828 >>>source APNIC >>> >>> >>>Since it seems to come from a user in China I doubt there is >>>anything at all you could do. >>> >>>Even tring to get ahold of the system admins in China is very >>>very hard. I >>>wouldn't worry about it at all it looks like a random scan of >>>your domain and >>>from a client that is set up to scan whole ranges of >>>addresses no worries. >>> >>> >>> >>>Joseph Jackson >>> >>> >>> >>> >>- >>To unsubscribe from this list: send the line "unsubscribe linux-newbie" in >>the body of a message to majordomo@vger.kernel.org >>More majordomo info at http://vger.kernel.org/majordomo-info.html >>Please read the FAQ at http://www.linux-learn.org/faqs >> >> > > - > To unsubscribe from this list: send the line "unsubscribe linux-newbie" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.linux-learn.org/faqs > > - To unsubscribe from this list: send the line "unsubscribe linux-newbie" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.linux-learn.org/faqs ^ permalink raw reply [flat|nested] 4+ messages in thread
* ssh question 2002-06-21 18:21 ` Joseph Jackson @ 2002-06-21 18:56 ` Chris Omland 0 siblings, 0 replies; 4+ messages in thread From: Chris Omland @ 2002-06-21 18:56 UTC (permalink / raw) To: linux-newbie Hi I was wondering if anyone can help me out with an ssh problem. I basically have numerous computers that I need to log into both as myself and as root. I know its possible using keys to set things up so that when I ssh from my main machine to another it uses the keys and I don't need to enter my password. I'm assuming this will be ok even with NIS/NFS running on all the machines? I've read a bunch of stuff online and tried using ssh-keygen and stuff, but can't seem to get the desired results. I guess if I can just start so I don't need to enter my password that would be great and then down the road, set up so root can do it?? Thanks. -Chris - To unsubscribe from this list: send the line "unsubscribe linux-newbie" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.linux-learn.org/faqs ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2002-06-21 18:56 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <3D12C817.60409@lvcm.com>
2002-06-21 6:35 ` Blocking hackers - Thanks Phillp Morgan
2002-06-21 18:11 ` Chris Omland
2002-06-21 18:21 ` Joseph Jackson
2002-06-21 18:56 ` ssh question Chris Omland
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox