Koozali.org: home of the SME Server

Legacy Forums => Experienced User Forum => Topic started by: Bobby on February 20, 2002, 01:10:07 AM

Title: Web server stopped
Post by: Bobby on February 20, 2002, 01:10:07 AM

Seems one of my client's has been hit by hackers or at least a milicious wannabe.

A lot of entries in the logs showing attempts to reach things like cmd.exe and root.exe.  I figure they are trying to exploit Micro$oft IIS.

Problem is that now the web server does not work.  No webmail, no web site, no http://host/server-manager (Server manager still works on port 980).  Just get "HTTP 500 - Internal server error" when trying to access anything.

Any ideas where to look to fix such an issue?

Cheers.

/B

Title: Re: Web server stopped
Post by: Terry Brummell on February 20, 2002, 02:07:19 AM

What you are seeing when you see something like:

www.brummell.net 24.55.72.6 - - [10/Feb/2002:06:58:16 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 210 "-" "-"
www.brummell.net 24.55.72.6 - - [10/Feb/2002:06:58:18 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 208 "-" "-"
www.brummell.net 24.55.72.6 - - [10/Feb/2002:06:58:20 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-"


is actually a Nimda attack from 24.55.72.6.  It is an infected webserver that is activly scanning for other hosts to infect.  SME & Apache are not vulnerable to this exploit, I don't imagine the fact that http has stopped has anything to do with the Nimda scanning.  I get over 8000 scans a week!  

I would just reboot the server and make sure httpd restarts on reboot.  There is a command to restart httpd without rebooting, but I don't have it handy...

Terry

Bobby wrote:
>
> Seems one of my client's has been hit by hackers or at least
> a milicious wannabe.
>
> A lot of entries in the logs showing attempts to reach things
> like cmd.exe and root.exe.  I figure they are trying to
> exploit Micro$oft IIS.
>
> Problem is that now the web server does not work.  No
> webmail, no web site, no http://host/server-manager (Server
> manager still works on port 980).  Just get "HTTP 500 -
> Internal server error" when trying to access anything.
>
> Any ideas where to look to fix such an issue?
>
> Cheers.
>
> /B

Title: Re: Web server stopped
Post by: Bobby on February 20, 2002, 02:15:33 AM

Have tried rebooting.

Just mentioned the attack as it is the only thing showing up weird.

Thanks for the thoughts, though.  I think there must be something simple I am missing.

/B

Title: Re: Web server stopped
Post by: Bill K on February 21, 2002, 12:45:23 AM

Restart Apache with

service httpd restart

stop and start work as well as restart does.

Title: Re: Web server stopped
Post by: Bobby on February 21, 2002, 01:14:48 AM

Thanks for the responses.

Turns out that it was Trend keeping it from working.  Though the server was hit with nimbda, or something like it, the server was victim to on-site staff with medling fingers.

Cheers.

/B

Title: Re: Web server stopped
Post by: Marc on March 08, 2002, 02:22:56 AM

i need to run a website on iis (wdweb application) and also php for some other sites does someone how i can do that (i know it may work with port forwarding but then i'll get something like www.website.com:8080 for example to go to iis server)
Thanks for help