BetaONE will rise again!


Reply
  #1  
Old 28th Jul 02, 12:09 AM
Cyberion Cyberion is offline
eh!!
 
Join Date: Jul 2001
Location: BC, Canada
Posts: 1,449
Cyberion is an unknown quantity at this point
Send a message via MSN to Cyberion Send a message via Yahoo to Cyberion
"GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 186

What is this person tring to do? Is this a security hole that should be pluged up. Funny thing is... Those folder don't even exist on the server. Does anyone know what is happening here.

Thanks,
Cyberion
Reply With Quote
  #2  
Old 28th Jul 02, 04:46 AM
Crowdirt's Avatar
Crowdirt Crowdirt is offline
Senior Member
 
Join Date: Sep 2001
Location: Detroit
Posts: 212
Crowdirt
Hi Folks, this is the kind of things that "CodeRed" and "Nimda" did on a Windows 2K IIS Server. It's an attempt to break into the machine and run the Virus code to spread/infect other machines on the 'Net.
Reply With Quote
  #3  
Old 28th Jul 02, 04:58 AM
Shiromagius Shiromagius is offline
Senior Member
 
Join Date: Oct 2001
Location: Oregon
Posts: 244
Shiromagius
Send a message via ICQ to Shiromagius
Any idea where you got that little snippet from Cyberion so we know where to stay away from?



Last edited by Shiromagius at Jul 27 2002, 07:59 PM
__________________
Shiromagius
Reply With Quote
  #4  
Old 28th Jul 02, 05:35 AM
Bads's Avatar
Bads Bads is offline
BetaONE Supporter
 
Join Date: Jul 2001
Location: Quebec
Posts: 1,710
Bads is an unknown quantity at this point
Hum.......

This is not really good

Where did you catch this one ?
__________________
Reply With Quote
  #5  
Old 28th Jul 02, 06:28 AM
Crowdirt's Avatar
Crowdirt Crowdirt is offline
Senior Member
 
Join Date: Sep 2001
Location: Detroit
Posts: 212
Crowdirt
Hi Folks, actually, these things go looking for your computer. All that is required is for your computer to be connected to the 'Net and the "Code" will try to break into your machine. In this case if you are not running IIS, there is nothing to worry about. Also if you are completely up to date on your "M$ Security Patches" you will be ok as well.
Reply With Quote
  #6  
Old 28th Jul 02, 08:53 AM
cappaberra
 
Posts: n/a
and if you're really wise and determined to use a web server, then use apache so you don't have to worry bout it. it's much more configurable anyway... I've gotten lots of CodeRed attempts on my web server, but always denied...

-CaP
Reply With Quote
  #7  
Old 28th Jul 02, 09:47 AM
Cyberion Cyberion is offline
eh!!
 
Join Date: Jul 2001
Location: BC, Canada
Posts: 1,449
Cyberion is an unknown quantity at this point
Send a message via MSN to Cyberion Send a message via Yahoo to Cyberion
There is more too.... And its from two sources... Both on my cable network. Grrrrrr.

The stupid thing is... They leave their IP address too. Is there a way that I can bouce their IP address on the server?

Should I post them? Let me know if you think it is good idea. Mabye other should watch out for these. I'm not sure..

But the attacks are spreading.. Different IP's even on the same network node or mask. I'm sorry if I'm confusing people.. Just a little worried..

Thank you so much,
Cyberion
Reply With Quote
  #8  
Old 28th Jul 02, 03:46 PM
CARTMAN's Avatar
CARTMAN CARTMAN is offline
Senior Member
 
Join Date: Jul 2001
Location: Turkiye
Posts: 157
CARTMAN is an unknown quantity at this point
This is the good old exploitation of Unicode vulnerability affecting Microsoft IIS servers. Do yourself a goodness and install Apache Web Server www.apache.org
Reply With Quote
  #9  
Old 28th Jul 02, 07:28 PM
Cyberion Cyberion is offline
eh!!
 
Join Date: Jul 2001
Location: BC, Canada
Posts: 1,449
Cyberion is an unknown quantity at this point
Send a message via MSN to Cyberion Send a message via Yahoo to Cyberion
The server is actually on a spare Macintosh computer running on a 2Mbit cable to the internet.

That is why I think the exploits are being used on the wrong person. At most my server is confused by all the scanning going on.

Then again, I may have little "kiddies" on the network with me who think it fun to confuse web servers.

Are then any know exploits for Macintosh Web servers.

@ CARTMAN : The reason I don't move to Aapache is because I believe that I would have to upgrade to OS 10 on the server box. Problem is.. Its a 8500 running @ 180Mhz... Yep that all. on a PowerPC 604e chip.

Cyberion
Reply With Quote
  #10  
Old 29th Jul 02, 03:19 PM
CARTMAN's Avatar
CARTMAN CARTMAN is offline
Senior Member
 
Join Date: Jul 2001
Location: Turkiye
Posts: 157
CARTMAN is an unknown quantity at this point
Well I know Apache's running on 8 mb RAM P133 s without a hitch but I dont think old Macs are Unix based so there is your problem
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT +1. The time now is 07:36 PM.


Design by Vjacheslav Trushkin for phpBBStyles.com.
Powered by vBulletin® Version 3.6.5
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.