PDA

View Full Version : Is this a hacking attempt?



Unregistered
10-27-2002, 04:00 PM
I have had a website up for less than a month and it is not registered with any search engine. However, other than some friends who have been on it, I have seen many other IPs requesting files that do not exits on the server. On closer inspection, it appeared to be an attempt to hack my webserver. The strings in the log would look something like this:

GET /scripts/winnt/cmd.exe?/c+dir

Now, it looks to me like someone trying to access my C Drive. Is it? Or am I just being paranoid? If it isn't, then why are these people trying to request files that don't exist on a site they couldn't possibly have heard of? Are they just running some program that cycles through IP ranges and pings each one?

DATA
10-29-2002, 05:36 AM
hi,

yes,it looks like an attempt to crack and execute command s remotely.

Data.

fEš·.·šEr
10-29-2002, 06:32 AM
YES,
by all means it's a hacking attempt very "on vogue" these days.
we see it on many servers..

if you are running microsoft IIS 4 or 5 server then YOU are concerned, otherwise do not worry.

the hackers attempt to abuse an exploit called unicode on
NT os systems running microsoft IIS servers.
they try to install hiddenly a sort of FTP and/or TFTP server (but not on port 2*)
in order to share files secretly.
they call it "pubstro" for public storage.

verify your open ports and close those that are not allowed.
verify your firewall.
update microsoft IIS server (if you run one)
use commview (that you can download from this site, if it's not already done)

here's more info on pubstro

http://2*6.2**.*7.*00/search?q=cache:*hUbz5Cgw*cC:www.esec.dk/pubstro.pdf+pubstro&hl=en&ie=UTF-8

http://www.dslreports.com/forum/remark,42425*7~root=security,*~mode=flat



-----------
fEš·.·šEr

Unregistered
11-04-2002, 02:47 PM
It is either a code red worm or nimbda infected computer trying to run these scripts on your computer. If you are running a windows server with IIS you are vulnerable. Make you have all the latest updates and service packs applied on your machine. If this is a Linux machine running Apache you have nothing to worry about. These infected machine scan IP addresses at random.

Unregistered
11-11-2002, 01:44 PM
most likely it is a virus like the above mentioned or some "L**t Kiddi*" got a exploit scanner and just pointed it your direction.

exa: your ip is *27.22*.*7.8 and they tell the scanner to scan from *27.22*.*5.0 to *27.22*.20.255.

then what it does is notes any machines that respond back with
"HTTP/*.* 200 OK" for example, means that the computer is suseptable to the exploit. if not, it would respond back with "HTTP/*.* 500 Server Error" for example. I wouldnt worry about it because it if you are all patched up or not running IIS it would just pass over you and not make a note of your server. However I would definitely print out a copy for future referrence.

if they were trying to exploit your system, it would have been something like GET /scripts/winnt/cmd.exe?/c+ping.exe+(some variables)+(an ip address)

hope this helps

Unregistered
12-10-2002, 04:25 PM
your a bit lost....what that is ,,,,is irc chat server trying to acess and share files,,,,,,the get is a file add in for mirc do some research it,s kinda like napster or kazaa..........GET look for qirc v.2 or m irc it explains everything......