Complete.Org: Mailing Lists: Archives: discussion: September 2001:
[aclug-L] Re: Hacker or ??
Home

[aclug-L] Re: Hacker or ??

[Top] [All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
To: discussion@xxxxxxxxx
Subject: [aclug-L] Re: Hacker or ??
From: "gLaNDix (Jesse Kaufman)" <glandix@xxxxxxxxxxxxxx>
Date: 18 Sep 2001 13:53:48 -0500
Reply-to: discussion@xxxxxxxxx

Another thing that may help is doing a

'grep cmd.exe httpd-access.log | grep 24.166 > rr-infected-sites'

and send the file to security@xxxxxx ... they *may* request the entire
log (for security / validity reasons), but atleast then you can report
infected sites to their net block owners...  that is what rr techs told
me to do w/ my CR entries...  i will be doing that as soon as i return
from NW5.1 Adv Adm this afternoon!

also,

'grep cmd.exe httpd-access.log | grep 24.166 | wc -l'

will tell you how many hits you've had from rr-related sites (i believe
all their ip's start w/ 24.166, but if someone has others, please post
so we all can make sure they're all reported...  i also have a list of
shawcable.net ip's incase i/we start getting hits from them and have to
report that as well, but you have to report EVERY infected IP in a
SEPERATE e-mail... i got chewed out for that last time w/ CRII... : ^ (

good luck!
gLaNDix

On 18 Sep 2001 13:47:17 -0500, Joshua S Brown wrote:
> 
> Thanks....any help would be good right now.
> 
> 
> Josh
> 
> On 18 Sep 2001, gLaNDix (Jesse Kaufman) wrote:
> 
> >
> > /usr/local/apache/bin/apachectl stop
> >
> >  : ^ )
> >
> > I don't think there's any reliable way to stop the traffic to linux
> > servers...  basically very similar to the GET /index.ida?XXXX... stuff
> > from CRII that seems to have become a normal occurance in atleast my
> > httpd-access.log file...  i know there were various CodeRed Killer
> > scripts (such as the Apache::CodeRed perl mod), but nothing that
> > completely stopped the traffic...  what i had done was add any hosts i
> > found to my /etc/ipfw.conf and denied all traffic on port 80 from them,
> > but in a business situation, this is not very practical, since you could
> > very easily block potential customers from seeing your website...
> >
> > the only reccomendation i have gotten is to create a small index.ida
> > file (or whatever the file is that the new attack is attempting to
> > access) by doing a 'touch /usr/local/www/data/index.ida' (or wherever
> > your DocumentRoot is) so that instead of sending a "huge" 404 error, it
> > only sends the information contained in your emtpy index.ida file...  i
> > don't know how much of a difference it really makes, but some have said
> > it should help bandwidth usage...  on my system, i really haven't
> > noticed any difference, but it don't have to look at a billion 404
> > errors in my log (which also means no more related entries in your
> > httpd-error.log, thus smaller log files if that is a concern)...
> >
> > other than that, i think we just have to grin and bear it until the
> > world upgrades to apache... i mean installs the support pack... : ^ )
> >
> > gLaNDix
> >
> > p.s. I'd recommend subscribing to AntiOnline.com...  you get to hear
> > about these things pretty quick...  i was actually surprised to hear
> > about it there before on any user group lists...  i bcc'd the e-mail to
> > a number of other places, including RR, so maybe this time they'll take
> > action sooner......... : ^ )
> >
> > On 18 Sep 2001 13:05:31 -0500, Joshua S Brown wrote:
> > >
> > > Looks like a new worm that tries to attack 16 vulnerabilities in IIS.
> > > Wonderful for people who run Linux but are still being pounded.
> > >
> > > Josh Brown
> > >
> > > Anyone have any ideas to stop it or just grin and bear it?
> > >
> > > On Tue, 18 Sep 2001, Steven Saner wrote:
> > >
> > > >
> > > > Appears that this is the worm that Glandix reported. I got the
> > > > readme.exe email this morning as well. It was made to appear like a
> > > > bounce back message from someplace.
> > > >
> > > > Steve
> > > >
> > > >
> > > > On Tue, Sep 18, 2001 at 12:49:24PM -0500, Joshua S Brown wrote:
> > > > >
> > > > > We are having the same problem on all our web servers. Is this a hack 
> > > > > or
> > > > > something like code red?
> > > > >
> > > > >
> > > > > Josh Brown
> > > > >
> > > > > On Tue, 18 Sep 2001, Maverick wrote:
> > > > >
> > > > > >
> > > > > > Hi, all
> > > > > >  Recently I check on my apache webserver access.log
> > > > > > and find out a lot of entrie like this:
> > > > > > 24.254.90.73 - - [18/Sep/2001:10:44:38 -0700] "GET
> > > > > > /scripts/..%c0%af../winnt/sys
> > > > > > tem32/cmd.exe?/c+dir HTTP/1.0" 404 231
> > > > > > 24.254.90.73 - - [18/Sep/2001:10:44:39 -0700] "GET
> > > > > > /scripts/..%%35%63../winnt/sy
> > > > > > stem32/cmd.exe?/c+dir HTTP/1.0" 400 215
> > > > > > 24.254.90.73 - - [18/Sep/2001:10:44:41 -0700] "GET
> > > > > > /scripts/..%%35c../winnt/syst
> > > > > > em32/cmd.exe?/c+dir HTTP/1.0" 400 215
> > > > > > 24.254.90.73 - - [18/Sep/2001:10:44:43 -0700] "GET
> > > > > > /scripts/..%c1%9c../winnt/sys
> > > > > > tem32/cmd.exe?/c+dir HTTP/1.0" 404 231
> > > > > > .....
> > > > > >
> > > > > > Is that someone try to access my /var/www/scripts/?
> > > > > > and my error.log generate something like this..
> > > > > > Tue Sep 18 10:52:27 2001] [error] [client
> > > > > > 24.234.20.197] File does not exist: /
> > > > > > var/www/c/winnt/system32/cmd.exe
> > > > > > [Tue Sep 18 10:52:28 2001] [error] [client
> > > > > > 24.234.20.197] File does not exist: /
> > > > > > var/www/d/winnt/system32/cmd.exe
> > > > > > ....
> > > > > >
> > > > > > anyone have any idea? or did I set something wrong?
> > > > > > or really have a hacker knocking on my door?
> > > > > >
> > > > > > Thanks.
> > > > > > Mav
> > > > > >
> > > > > > __________________________________________________
> > > > > > Terrorist Attacks on U.S. - How can you help?
> > > > > > Donate cash, emergency relief information
> > > > > > http://dailynews.yahoo.com/fc/US/Emergency_Information/
> > > > > > -- This is the discussion@xxxxxxxxx list.  To unsubscribe,
> > > > > > visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi
> > > > > >
> > > > >
> > > > >
> > > > > -- This is the discussion@xxxxxxxxx list.  To unsubscribe,
> > > > > visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi
> > > > -- This is the discussion@xxxxxxxxx list.  To unsubscribe,
> > > > visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi
> > > >
> > >
> > >
> > > -- This is the discussion@xxxxxxxxx list.  To unsubscribe,
> > > visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi
> >
> >
> > -- This is the discussion@xxxxxxxxx list.  To unsubscribe,
> > visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi
> >
> 
> >>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<
> Joshua Brown
> Administration / Web Development
> WebSurf Internet Services
> www.websurf.net
> 316-945-7873 or 877-329-1671 (toll-free)
> >>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<
> 
> -- This is the discussion@xxxxxxxxx list.  To unsubscribe,
> visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi


-- This is the discussion@xxxxxxxxx list.  To unsubscribe,
visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi


[Prev in Thread] Current Thread [Next in Thread]