06-03-2003, 01:50 AM
|
|
Junior Guru Wannabe
|
|
Join Date: Apr 2003
Location: California
Posts: 61
|
|
I have been Monitoring My server Logs And I have Came Across Strange URLS ? Can some one Tell me is it a Hacking Attempt? what can I do for Prevention
Like
/scripts/root.exe /c+dir 404 -
GET /MSADC/root.exe /c+dir 404 -
GET /c/winnt/system32/cmd.exe /c+dir 404 -
GET /d/winnt/system32/cmd.exe /c+dir 404 -
GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 -
GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 -
GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 -
GET /msadc/..%5c../..%5c../..%5c/..Á�../..Á�../..Á�../winnt/system32/cmd.exe /c+dir 404 -
GET /scripts/..Á�../winnt/system32/cmd.exe /c+dir 404 -
GET /scripts/winnt/system32/cmd.exe /c+dir 404 -
GET /winnt/system32/cmd.exe /c+dir 404 -
GET /winnt/system32/cmd.exe /c+dir 404 -
GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 -
GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 -
GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 -
GET /scripts/..%2f../winnt/system32/cmd.exe /c+dir 404 -
GET /default.ida XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u90 90%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 404 -
GET /scripts/root.exe /c+dir 404 -
|
06-03-2003, 01:58 AM
|
|
Web Hosting Guru
|
|
Join Date: Jul 2002
Posts: 288
|
|
No someone is trying to look for a windows exploit. You can add some code to your htaccess file to stop seeing that.
Put this in your .htaccess file and you wont see those anymore:
|
06-03-2003, 02:35 AM
|
|
Retired Moderator
|
|
Join Date: Jan 2003
Posts: 9,000
|
|
If you are not running a windows machine you are fine. Too many inept users on the net....
|
06-03-2003, 02:58 AM
|
|
Junior Guru Wannabe
|
|
Join Date: Apr 2003
Location: California
Posts: 61
|
|
But I am using WIn2k Not Unix
|
06-03-2003, 03:17 AM
|
|
Web Hosting Master
|
|
Join Date: Jan 2002
Posts: 2,998
|
|
Its an old IIS exploit. If you are running an older version of IIS, I'd worry about it, otherwise you are fine minus the wasted bandwidth. It looks as if you are fine, because the server is returning 404's (File Not Found).
I'm sure a more experienced user might be able to give more details.
Thanks for redirect reseller. I'm going to add this to my .htaccess to save on bandwidth.
__________________
Don't like what I say? Ignore me because it will be the only way you can shut me up.
|
06-03-2003, 03:29 AM
|
|
Web Hosting Master
|
|
Join Date: May 2001
Location: @ Work - Usually!
Posts: 835
|
|
Nice one reseller,
Thats a gr8 piece of info 
|
06-03-2003, 06:38 AM
|
|
Community Leader
|
|
Join Date: Oct 2002
Location: cognito
Posts: 17,323
|
|
I had placed that htaccess into my cpanelskel folder so it loads into new client setups automatically.
|
06-03-2003, 06:42 AM
|
|
Web Hosting Master
|
|
Join Date: Dec 2001
Location: Singapore
Posts: 747
|
|
Quote:
Originally posted by reseller
No someone is trying to look for a windows exploit. You can add some code to your htaccess file to stop seeing that.
Put this in your .htaccess file and you wont see those anymore:
|
.. just wondering if anyone has something similar for win2k too..
__________________
███ .
███ .. ...
███
███ fulltime sysadmin since 1997! 
|
06-03-2003, 07:28 AM
|
|
Junior Guru Wannabe
|
|
Join Date: Apr 2003
Location: California
Posts: 61
|
|
Yeah !!! Will Appreciate A Win2k Advise
__________________
Always In Control !!!
|
06-03-2003, 07:53 AM
|
|
Web Hosting Guru
|
|
Join Date: Jul 2002
Posts: 288
|
|
Win2K advice = stay up-to-date with patches and hotfixes. IIS has a security patch and a set of hot fixes for this issue.
IIS 5 is covered by default, IIS 4 needs to be patched.
When patched you should automatically get that protection
|
06-03-2003, 08:05 AM
|
|
Web Hosting Guru
|
|
Join Date: Jul 2002
Posts: 288
|
|
Here you go.
Look at, read, and follow the advice given here:
Click here
It's dated May 28, 2003 so it's pretty current.
It covers IIS 4, 5 and 5.1
|
06-03-2003, 09:00 AM
|
|
Web Hosting Master
|
|
Join Date: Feb 2002
Posts: 1,298
|
|
You can have your box scanned at https://sans20.qualys.com
John
|
06-03-2003, 09:01 AM
|
|
Disabled
|
|
Join Date: Dec 2002
Location: chica go go
Posts: 11,858
|
|
heh, i get all sorts of logs like that on my error_log, AND I'M USING APACHE! lmao
|
06-03-2003, 12:35 PM
|
|
Retired Moderator
|
|
Join Date: Jan 2003
Posts: 9,000
|
|
Quote:
Originally posted by bear
I had placed that htaccess into my cpanelskel folder so it loads into new client setups automatically.
|
just add it to your httpd.conf instead.
|
06-03-2003, 12:46 PM
|
|
Community Leader
|
|
Join Date: Oct 2002
Location: cognito
Posts: 17,323
|
|
Don't have root on every box, but a good idea on those I do. Thanks.
|
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
 Linear Mode
|
| Postbit Selector |
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
|
|
| Login: |
|
|
| Advertisement: |
|
|
| Web Hosting News: |
|
|
|
