I Don't Understand This?

Cyberion · #1 28th Jul 02, 12:09 AM

"GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 186

What is this person tring to do? Is this a security hole that should be pluged up. Funny thing is... Those folder don't even exist on the server. Does anyone know what is happening here.

Thanks,
Cyberion

Crowdirt · #2 28th Jul 02, 04:46 AM

Hi Folks, this is the kind of things that "CodeRed" and "Nimda" did on a Windows 2K IIS Server. It's an attempt to break into the machine and run the Virus code to spread/infect other machines on the 'Net.

Shiromagius · #3 28th Jul 02, 04:58 AM

Any idea where you got that little snippet from Cyberion so we know where to stay away from?

Last edited by Shiromagius at Jul 27 2002, 07:59 PM

Bads · #4 28th Jul 02, 05:35 AM

Hum.......

This is not really good

Where did you catch this one ?

Crowdirt · #5 28th Jul 02, 06:28 AM

Hi Folks, actually, these things go looking for your computer. All that is required is for your computer to be connected to the 'Net and the "Code" will try to break into your machine. In this case if you are not running IIS, there is nothing to worry about. Also if you are completely up to date on your "M$ Security Patches" you will be ok as well.

#6 28th Jul 02, 08:53 AM

and if you're really wise and determined to use a web server, then use apache so you don't have to worry bout it.

it's much more configurable anyway... I've gotten lots of CodeRed attempts on my web server, but always denied...

-CaP

Cyberion · #7 28th Jul 02, 09:47 AM

There is more too.... And its from two sources... Both on my cable network. Grrrrrr.

The stupid thing is... They leave their IP address too. Is there a way that I can bouce their IP address on the server?

Should I post them? Let me know if you think it is good idea. Mabye other should watch out for these. I'm not sure..

But the attacks are spreading.. Different IP's even on the same network node or mask. I'm sorry if I'm confusing people.. Just a little worried..

Thank you so much,
Cyberion

CARTMAN · #8 28th Jul 02, 03:46 PM

This is the good old exploitation of Unicode vulnerability affecting Microsoft IIS servers. Do yourself a goodness and install Apache Web Server www.apache.org

Cyberion · #9 28th Jul 02, 07:28 PM

The server is actually on a spare Macintosh computer running on a 2Mbit cable to the internet.

That is why I think the exploits are being used on the wrong person. At most my server is confused by all the scanning going on.

Then again, I may have little "kiddies" on the network with me who think it fun to confuse web servers.

Are then any know exploits for Macintosh Web servers.

@ CARTMAN : The reason I don't move to Aapache is because I believe that I would have to upgrade to OS 10 on the server box. Problem is.. Its a 8500 running @ 180Mhz... Yep that all.

on a PowerPC 604e chip.

Cyberion

CARTMAN · #10 29th Jul 02, 03:19 PM

Well I know Apache's running on 8 mb RAM P133 s without a hitch but I dont think old Macs are Unix based so there is your problem