Is this a security risk? [Archive]

View Full Version : Is this a security risk?

NVB

09-18-2001, 11:02 AM

For the past 2 hours, my error log file has been full of statements like:

[Tue Sep 18 09:05:38 2001] [error] [client 216.150.11.249] File does not exist: /
home/name/public_html/scripts/root.exe
[Tue Sep 18 09:05:38 2001] [error] [client 216.150.11.249] File does not exist: /
home/name/public_html/MSADC/root.exe
[Tue Sep 18 09:05:38 2001] [error] [client 216.150.11.249] File does not exist: /
home/name/public_html/c/winnt/system32/cmd.exe
[Tue Sep 18 09:05:38 2001] [error] [client 216.150.11.249] File does not exist: /
home/name/public_html/d/winnt/system32/cmd.exe
[Tue Sep 18 09:05:38 2001] [error] [client 216.150.11.249] File does not exist: /
home/name/public_html/scripts/..%5c../winnt/system32/cmd.exe
[Tue Sep 18 09:05:38 2001] [error] [client 216.150.11.249] File does not exist: /
home/name/public_html/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe

Do you know what this guy is doing?
Is he trying to gain access to the server or doing something that would present a security risk?

aurorac

09-18-2001, 11:44 AM

It was security hole scan for NT webserver.
I think he blindly scanned a range of ips among which was yours.
Since you are under linux it cannot hart your system :D

Several times a day I see the same in my logs.

webbcite

09-18-2001, 01:29 PM

There is a new worm going around looking for several different IIS exploits. This is really ugly! It is much worse than code red or code red II. I have receieved 8500 requests in the last 4 hours. Approx 150 requests per minute...

ARRGGH!

Domenico

09-18-2001, 01:56 PM

Use portsentry then!

webbcite

09-18-2001, 01:59 PM

How would portsentry be used to block web hits?

yazzer

09-18-2001, 02:02 PM

my logs are also filling up with these request on all my web servers, is there an easy way to block them?

i have portsentry installed

Raq3s and a Linux 7.1 box

Domenico

09-18-2001, 02:19 PM

Originally posted by webbcite
How would portsentry be used to block web hits?

Well, he is scanning isn't he?
Why don't you block the ports he is scanning btw?

Planet Z

09-18-2001, 04:14 PM

Originally posted by Domenico

Well, he is scanning isn't he?
Why don't you block the ports he is scanning btw?

It's showing up in the webserver (Apache) error logs. So he's scanning port 80. I'm thinking blocking port 80 would be a bad thing (TM).

Domenico

09-18-2001, 04:16 PM

heheheehe, who needs port 80 anyway?
Too much other things on my mind I guess...

btw. don't forget the access logs getting bigger and bigger ;-)

Domenico

09-18-2001, 04:18 PM

Originally posted by webbcite
How would portsentry be used to block web hits?

Nevermind, I didn't read it too well I guess. Portsentry is useless for this.