|
| |
|
|
Vince from Spain
Posts: 658
From: Madrid Spain
Status: offline
 |
Is this an attack? - 9/24/2001 21:02:00
Hi All,
looking through our IIS 5.0 server error logs it seems that starting around the 18th of this month I have thousands of error pages where trying to access the following URL's, along with error codes/scripts/root.exe /c+dir 404
/MSADC/root.exe /c+dir 403
/c/winnt/system32/cmd.exe /c+dir 404
/d/winnt/system32/cmd.exe /c+dir 404
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 404
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 500 and some other similar ones. This started on the 18th, peaked on the 19th and has been tailing off since to around 150 a day now. There are over 10,000 similar entries in the logs, and this is just for one site. All sites on our server have the same entries. Looking at the referring IP's, some for instances . . . 66.150.46.200
66.108.80.41
66.108.8.96
66.87.101.136
66.148.188.22
66.24.29.103 and so on, but ALL starting with 66.x.x.x for the whole period till now Is this an attack, or am I just getting paranoid ![]("http://www.frontpagewebmaster.com/ubb/wink.gif") If anyone can throw any light onto this at all I would be very grateful. All known patches applied and I seem to still be clean of all the current worms btw. Vince
|
|
|
|
Spooky
Posts: 26606
Joined: 11/11/1998
From: Middle Earth
Status: offline
|
RE: Is this an attack? - 9/25/2001 20:32:00
root.exe is a sign of Red Alert.Theres a thread lower discussing the fixes for that one lower down Vince!
| |
|
|
|
storm
Posts: 421
Status: offline
|
RE: Is this an attack? - 9/25/2001 20:16:00
your not being paranoid. your system was being scanned by a virus looking for vulnerabilities.if you go to http://www.cert.org/advisories/CA-2001-26.html it will show what the log file will look like when the nimda worm scans a system and explain what each line means. ------------------
storm...
"Someone put forth the proposition that you can patition the lord with prayer, patition the lord with prayer, patition the lord with prayer...YOU CANNOT PATITION THE LORD WITH PRAYER"
| |
|
|
|
Vince from Spain
Posts: 658
From: Madrid Spain
Status: offline
|
RE: Is this an attack? - 9/25/2001 23:33:00
Cheers guys,
as you say Storm, it seems like the Nimda Worm has been paying me several visits trying to infect our server. Thankfully though, I seem to have survived the attack and have none of the beasties on my system associated with this worm. I was a bit stressed last night though when I first noticed it.
Thanks to all in the server forum for the advice on security patches etc which is the main reason we survived this one. ! ! !Vince ------------------
Internet Business Solutions S.L.(Spain)
| |
|
|
|
Gil
Posts: 7533
From: North Carolina, USA
Status: offline
|
RE: Is this an attack? - 9/25/2001 19:29:00
Hmmm, So, if something (Windows) needs "patching" it must have been broke? ![]("http://www.frontpagewebmaster.com/ubb/smile.gif") Gotta luv Unix... ------------------
Gil Harvey
The Host Factory
Resellers are our speciality
"Indecision may or may not be my problem"
| |
|
|
|
Gil
Posts: 7533
From: North Carolina, USA
Status: offline
|
RE: Is this an attack? - 9/26/2001 20:15:00
quote:
Originally posted by Vince from Spain:
In my days doing UNIX admin I seem to remember spending lots of time searching for patches. Has that all changed Gil.
------------------
Gil Harvey
The Host Factory
Resellers are our speciality
"Indecision may or may not be my problem"
| |
|
|
|
Gil
Posts: 7533
From: North Carolina, USA
Status: offline
|
RE: Is this an attack? - 9/26/2001 20:18:00
quote:
Originally posted by Vince from Spain:
In my days doing UNIX admin I seem to remember spending lots of time searching for patches. Has that all changed Gil.
Unix patch? I haven't seen a Unix security patch in so long, I don't remember when it was. One FreeBSD box, running a little over domains hasn't been rebooted or anything in over a year now ![]("http://www.frontpagewebmaster.com/ubb/tongue.gif") ------------------
Gil Harvey
The Host Factory
Resellers are our speciality
"Indecision may or may not be my problem"
| |
|
|
|
Gil
Posts: 7533
From: North Carolina, USA
Status: offline
|
RE: Is this an attack? - 9/26/2001 20:56:00
LOL Bored? Ha, there is always something up. We get hit by hackers all the time, they just don't get in It's kind of fun to watch HP Openview and see the attempts. Plus we have a couple of Windoze machines (Exchange & 2 Intranet boxes) just to keep us from falling asleep... ------------------
Gil Harvey
The Host Factory
Resellers are our speciality
"Indecision may or may not be my problem"
| |
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts
|
|
|
Printable Version 
