topic Re: Hack attempts ?? in Operating System - Linux

Hack attempts ??

Vernon Brown_2 — Wed, 24 Apr 2002 13:19:53 GMT

Thanks to all your help I finally have my LAN connected to the Internet through my Linux server which is running the Apache server. Within minutes of getting Apache on-line I noticed what looks like hack attempts. Example:
66.189.91.28 - - [23/Apr/2002:23:42:01 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284 "-" "-"

Does anyone know what that is ?

Re: Hack attempts ??

Ron Kinner — Wed, 24 Apr 2002 14:52:21 GMT

Definitely a hack attempt. Probably nimda or one of the code reds.

Ron

http://research.digitalrice.com/knowledge/notes_nimda.html

http://www.faqts.com/knowledge_base/view.phtml/aid/11984/fid/276

Re: Hack attempts ??

Vernon Brown_2 — Wed, 24 Apr 2002 15:43:46 GMT

Thanks Ron; I'll go to the URL's you posted and start researching.

Re: Hack attempts ??

Mark Fenton — Wed, 24 Apr 2002 22:38:13 GMT

Hack city.

There are several attacks out there that attempt to exploit a weakness in unpatched IIS (windoze) servers. Both Nimda and Code Red attempt to get the web server to run the CMD.EXE shell, and if they can get a response back on the attempt, go on to attempt various nefarious things.

While neither of these viruses are threats to the commercial world (unless there's still someone out there running unpatched systems) they are running fairly freely through the illiterati that have constant internet connections and no concept of nor concern for security. I was seeing about 100 attempts per day until I got tired of all the logging and decided to black list every address that attempted the attack. My firewall takes a LONNNG time to start up now :) but my logs stay small.

http://www.securityfocus.com is a pretty good resource for info on current threats.

Best Regards

Mark

Re: Hack attempts ??

George_Dodds — Thu, 25 Apr 2002 13:03:36 GMT

Looks like code red, we had the same entries in our logs a while go, check for outgoing connections from your server as it usually tries to bounce out to windows servers, we had a couple of calls and had to pull the plug on the server till it was sorted.

Cheers

George

Re: Hack attempts ??

Vernon Brown_2 — Thu, 25 Apr 2002 13:56:55 GMT

Thanks for your responses !
My GET requests for cmd.exe are more like 1000 per day now. I grep'ed them into a text file and sent it to abuse@centurytel.net. All of my hits are coming from the CenturyTel DSL network.