[Mon Jun 16 20:40:08 2003] [error] [client 141.156.169.28] File does not exist: /home/bitserve/htdocs/galaxy_9244.9590
[Mon Jun 16 20:40:09 2003] [error] [client 141.156.169.28] client denied by server configuration: /home/bitserve/htdocs/.htpasswd
[Mon Jun 16 20:40:19 2003] [error] [client 141.156.169.28] File does not exist: /home/bitserve/htdocs/admin/
[Mon Jun 16 20:40:25 2003] [error] [client 141.156.169.28] File does not exist: /home/bitserve/htdocs/ccbill/password/.htpasswd
[Mon Jun 16 20:40:25 2003] [error] [client 141.156.169.28] File does not exist: /home/bitserve/htdocs/ccbill/secure/ccbill.log
[Mon Jun 16 20:40:46 2003] [error] [client 141.156.169.28] script not found or unable to stat: /home/bitserve/htdocs/cgi-bin/ibillpm.pl
[Mon Jun 16 20:41:37 2003] [error] [client 141.156.169.28] script not found or unable to stat: /home/bitserve/htdocs/cgi-bin/mastergate
[Mon Jun 16 20:41:38 2003] [error] [client 141.156.169.28] script not found or unable to stat: /home/bitserve/htdocs/cgi-bin/PDG_Cart
[Mon Jun 16 20:41:47 2003] [error] [client 141.156.169.28] File does not exist: /home/bitserve/htdocs/data/verotellog.txt
[Mon Jun 16 20:41:48 2003] [error] [client 141.156.169.28] File does not exist: /home/bitserve/htdocs/etc/.htpasswd
[Mon Jun 16 20:41:49 2003] [error] [client 141.156.169.28] File does not exist: /home/bitserve/htdocs/etc/htpasswd
[Mon Jun 16 20:42:06 2003] [error] [client 141.156.169.28] File does not exist: /home/bitserve/htdocs/etc/passwd
[Mon Jun 16 20:42:14 2003] [error] [client 141.156.169.28] File does not exist: /home/bitserve/htdocs/htpasswd
[Mon Jun 16 20:42:16 2003] [error] [client 141.156.169.28] File does not exist: /home/bitserve/htdocs/ibill/cgi-bin/SiteAdmin.pl
[Mon Jun 16 20:42:25 2003] [error] [client 141.156.169.28] File does not exist: /home/bitserve/htdocs/mastergate/admin/
[Mon Jun 16 20:42:45 2003] [error] [client 141.156.169.28] File does not exist: /home/bitserve/htdocs/passreg/register.html
[Mon Jun 16 20:42:48 2003] [error] [client 141.156.169.28] File does not exist: /home/bitserve/htdocs/passwd
[Mon Jun 16 20:43:12 2003] [error] [client 141.156.169.28] File does not exist: /home/bitserve/htdocs/passwd.txt
[Mon Jun 16 20:43:16 2003] [error] [client 141.156.169.28] File does not exist: /home/bitserve/htdocs/password
[Mon Jun 16 20:43:17 2003] [error] [client 141.156.169.28] File does not exist: /home/bitserve/htdocs/password.log
[Mon Jun 16 20:43:17 2003] [error] [client 141.156.169.28] File does not exist: /home/bitserve/htdocs/password.txt

Looks like he is having a hard time getting the password listing :P

Maybe he should do a test hack on a home linux box before attempting the big time :P

Chris

You would be surprised how many webservers are not configured properly and would let you view the .htpasswd.

Thats actually kinda scary... looks quite automated. I'd believe that most servers would be protected anyways. You should send their ISP an email to protect the rest of us :)

bahaha I love it, protect us from what? that?

Well, maybe not protect, but to teach this fool who's boss. ;)

Originally posted by PlacidHost
Thats actually kinda scary... looks quite automated. I'd believe that most servers would be protected anyways. You should send their ISP an email to protect the rest of us :)

So you plan to send an email to their ISP and tell them what? That the user tried to send access documents on your server that didn't exist? Yeah, see, there's nothing illegal about it. And, unless their ISP has a user base of under 500, they wont give a **** -- even if what they had done was illegal.

I'm sure the suffiecient logs would prove to a knowledgable ISP that this person was attempting to gain access to a remote webserver illegally.

Originally posted by cubision
So you plan to send an email to their ISP and tell them what? That the user tried to send access documents on your server that didn't exist? Yeah, see, there's nothing illegal about it. And, unless their ISP has a user base of under 500, they wont give a **** -- even if what they had done was illegal.

Are you sure that you're not the one that did it? :)

Anyway, It's already taken care of.

It probably is an automated script trying to grab the .htpasswd file of a whole bunch of specified IP addresses.

ye its one of them automated webvuln scanners..

he probly doesnt even remember your hostname

Originally posted by sanjiv
It probably is an automated script trying to grab the .htpasswd file of a whole bunch of specified IP addresses.

I was thinking, of course, the same thing. It looks like something automated, except for the fact that there are REALLY big time intervals between the file requests. Most scripts I've seen do it all in about 5 seconds.

Have others seen scripts that seem to space them out this long? Is it maybe a countermeasure for autodetection of an "intruder" in some IDS?

Originally posted by cubision
So you plan to send an email to their ISP and tell them what? That the user tried to send access documents on your server that didn't exist? Yeah, see, there's nothing illegal about it. And, unless their ISP has a user base of under 500, they wont give a **** -- even if what they had done was illegal.

Well, technically you can get in trouble for scanning.

I remember someone on AOL tried to hack my server. I got the log, and emailed them to AOL's abuse department with a short explanation of the hack. What did they do? Absolutely nothing.

Originally posted by PCplayground
Well, technically you can get in trouble for scanning.

I never said you couldn't get in trouble for it.


I remember someone on AOL tried to hack my server. I got the log, and emailed them to AOL's abuse department with a short explanation of the hack. What did they do? Absolutely nothing.

Uhh ... that's pretty much what I said. There's nothing illegal about it ... that doesn't mean it isn't against the TOS of a given ISP. And AOL did nothing you said ... well, they are a large company, and as I pointed out, they probably wont do anything -- too many claims to check out.

When it comes down to a major DoS attack, the circumstances change ... but when someone "scans" you, or in this case, tried to access a list of documents, it isn't really worth the ISP's time.

the bottom line is that it's not "hacking" if the attacker doesn't actually *write* the to the disk. For example, go to ANY DoD computer. if you find a script that you can run as http://site.gov/script.cgi?`cat /etc/passwd` and it's fine. You'r actualy *allowed* to do that. BUT don't try script.cgi?`echo 1 > /tmp/test` because then they'll get you.

The Internet is an open place, you can't restrict (in law) the right of an internet user to view it's content.

Originally posted by cubision
I was thinking, of course, the same thing. It looks like something automated, except for the fact that there are REALLY big time intervals between the file requests. Most scripts I've seen do it all in about 5 seconds.

Have others seen scripts that seem to space them out this long? Is it maybe a countermeasure for autodetection of an "intruder" in some IDS?

ye i think thats the idea

scanners like nmap will do things ultra quick -> mega slow and several in between to try and fly under the ids radar

other scanners will utilise spoofing or multiple hosts etc

Originally posted by rcs
The Internet is an open place, you can't restrict (in law) the right of an internet user to view it's content.

I disagree. Just because it's connected to the Internet, doesn't make the content public. And illicitly trying to gain access to a protected system is illegal.

Anyway, it had already been taken care of when I posted. I wouldn't have posted it otherwise.

Originally posted by rcs
the bottom line is that it's not "hacking" if the attacker doesn't actually *write* the to the disk.

Not true.

If you go in and log into a system as root because you guessed the password. Then view all the credit card numbers, you have just committed a punishable crime.

Originally posted by rcs
the bottom line is that it's not "hacking" if the attacker doesn't actually *write* the to the disk.
Well, if the log says he didn't write, hey, it's your log, edit it. If he caused writing in your log, I say it's spinach and I say the hell with it.

Originally posted by trakwebster
Well, if the log says he didn't write, hey, it's your log, edit it.

:D

Originally posted by cubision
I was thinking, of course, the same thing. It looks like something automated, except for the fact that there are REALLY big time intervals between the file requests. Most scripts I've seen do it all in about 5 seconds.

Have others seen scripts that seem to space them out this long? Is it maybe a countermeasure for autodetection of an "intruder" in some IDS?

unless of course the scanner ran one test on a range of IP's before moving onto the next check

To use a metaphor from the 'tangible' world... I think the "you can view whatever you want" is wrong. Use the metaphor of a mall. The mall would _love_ you to come in and look around. You can go into any of the stores and look at what they have. Spraypainting the walls (writing to files), of course, is not allowed.

However, going into the door that says "Machine Room -- Employees Only" is not okay. Even if they forgot to lock the door, it's clear that you shouldn't.

Guessing passwords, or trying to load the password list, is a bit like going around and trying every doorknob. I suppose you couldn't really be charged with anything other than "Attempted Breaking and Entering" (and actually, it's not really breaking if it's unlocked... "Attempted Entering"?) The charges probably wouldn't go very far, but that doesn't make it right / legal.

Similarly, trying to gain access to places you shouldn't on a server -- such as trying to exploit security vulnerabilities, or even just stupidity on the part of the admin, is in my mind illegal. (And thanks to brilliant laws that have been passed lately, computer hacking is punishable by prison terms sometimes exceeding those for attempted murder?!)

Will anyone be prosecuted for this? Not likely. But I think claiming that you can do this to the DoD's computers with impunity is a bit off.

Originally posted by fog
Similarly, trying to gain access to places you shouldn't on a server -- such as trying to exploit security vulnerabilities, or even just stupidity on the part of the admin, is in my mind illegal. (And thanks to brilliant laws that have been passed lately, computer hacking is punishable by prison terms sometimes exceeding those for attempted murder?!)

Will anyone be prosecuted for this? Not likely. But I think claiming that you can do this to the DoD's computers with impunity is a bit off.

Exactly. Imagine if you walked down your street and tried every door knob and every window. I am sure there will be a cop over there soon.