Koozali.org: home of the SME Server

Hacking Attempts?

John

Hacking Attempts?
« on: May 10, 2003, 11:02:39 PM »
I have just been looking through the http error log on my server. I am seeing errors that look to me like people trying to call nt shell files.

eg.

[Wed May  7 21:31:20 2003] [error] [client 213.204.154.103] File does not exist: /home/e-smith/files/primary/html/MSADC/root.exe
[Wed May  7 21:31:20 2003] [error] [client 213.204.154.103] File does not exist: /home/e-smith/files/primary/html/c/winnt/system32/cmd.exe
[Wed May  7 21:31:20 2003] [error] [client 213.204.154.103] File does not exist: /home/e-smith/files/primary/html/d/winnt/system32/cmd.exe
[Wed May  7 21:31:20 2003] [error] [client 213.204.154.103] File does not exist: /home/e-smith/files/primary/html/scripts/..%5c../winnt/system32/cmd.exe
[Wed May  7 21:31:21 2003] [error] [client 213.204.154.103] File does not exist: /home/e-smith/files/primary/html/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Wed May  7 21:31:21 2003] [error] [client 213.204.154.103] File does not exist: /home/e-smith/files/primary/html/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Wed May  7 21:31:21 2003] [error] [client 213.204.154.103] File does not exist: /home/e-smith/files/primary/html/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe
[Wed May  7 21:31:21 2003] [error] [client 213.204.154.103] File does not exist: /home/e-smith/files/primary/html/scripts/..Á../winnt/system32/cmd.exe
[Wed May  7 21:31:24 2003] [error] [client 213.204.154.103] File does not exist: /home/e-smith/files/primary/html/scripts/..À¯../winnt/system32/cmd.exe
[Wed May  7 21:31:24 2003] [error] [client 213.204.154.103] File does not exist: /home/e-smith/files/primary/html/scripts/..Áœ../winnt/system32/cmd.exe
[Wed May  7 21:31:25 2003] [error] [client 213.204.154.103] File does not exist: /home/e-smith/files/primary/html/scripts/..%5c../winnt/system32/cmd.exe
[Wed May  7 21:31:25 2003] [error] [client 213.204.154.103] File does not exist: /home/e-smith/files/primary/html/scripts/..%2f../winnt/system32/cmd.exe

there are lots of lines such as these all originating from different addresses.
Should i be concerned?
most of the errors originate from ip addresses in the same network as my external network.
Is it possible for anybody to gain access to my system via a method such as this one?

JC

Terry

Re: Hacking Attempts?
« Reply #1 on: May 10, 2003, 11:23:21 PM »
That's an infected Windows machine trying to exploit using Code Red or Nimda.  It's harmless to a SM box.

Tom Carroll

Re: Hacking Attempts?
« Reply #2 on: May 11, 2003, 05:16:30 AM »
I have seen a lot of errors in my log file looking for a file called default.ida.  I just created a blank file with that name in my primary html directory.  It no longer appears in my errors log.

You can probably do the same with the cmd.exe and other files it is looking for.  One way or the other, it will be logged, thereby making your log files bigger... :(

Tom