Koozali.org: home of the SME Server

Legacy Forums => General Discussion (Legacy) => Topic started by: John on May 10, 2003, 11:02:39 PM

Title: Hacking Attempts?
Post by: John on May 10, 2003, 11:02:39 PM

I have just been looking through the http error log on my server. I am seeing errors that look to me like people trying to call nt shell files.

eg.

[Wed May  7 21:31:20 2003] [error] [client 213.204.154.103] File does not exist: /home/e-smith/files/primary/html/MSADC/root.exe
[Wed May  7 21:31:20 2003] [error] [client 213.204.154.103] File does not exist: /home/e-smith/files/primary/html/c/winnt/system32/cmd.exe
[Wed May  7 21:31:20 2003] [error] [client 213.204.154.103] File does not exist: /home/e-smith/files/primary/html/d/winnt/system32/cmd.exe
[Wed May  7 21:31:20 2003] [error] [client 213.204.154.103] File does not exist: /home/e-smith/files/primary/html/scripts/..%5c../winnt/system32/cmd.exe
[Wed May  7 21:31:21 2003] [error] [client 213.204.154.103] File does not exist: /home/e-smith/files/primary/html/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Wed May  7 21:31:21 2003] [error] [client 213.204.154.103] File does not exist: /home/e-smith/files/primary/html/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Wed May  7 21:31:21 2003] [error] [client 213.204.154.103] File does not exist: /home/e-smith/files/primary/html/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe
[Wed May  7 21:31:21 2003] [error] [client 213.204.154.103] File does not exist: /home/e-smith/files/primary/html/scripts/..Á../winnt/system32/cmd.exe
[Wed May  7 21:31:24 2003] [error] [client 213.204.154.103] File does not exist: /home/e-smith/files/primary/html/scripts/..À¯../winnt/system32/cmd.exe
[Wed May  7 21:31:24 2003] [error] [client 213.204.154.103] File does not exist: /home/e-smith/files/primary/html/scripts/..Áœ../winnt/system32/cmd.exe
[Wed May  7 21:31:25 2003] [error] [client 213.204.154.103] File does not exist: /home/e-smith/files/primary/html/scripts/..%5c../winnt/system32/cmd.exe
[Wed May  7 21:31:25 2003] [error] [client 213.204.154.103] File does not exist: /home/e-smith/files/primary/html/scripts/..%2f../winnt/system32/cmd.exe

there are lots of lines such as these all originating from different addresses.
Should i be concerned?
most of the errors originate from ip addresses in the same network as my external network.
Is it possible for anybody to gain access to my system via a method such as this one?

JC

Title: Re: Hacking Attempts?
Post by: Terry on May 10, 2003, 11:23:21 PM

That's an infected Windows machine trying to exploit using Code Red or Nimda.  It's harmless to a SM box.

Title: Re: Hacking Attempts?
Post by: Tom Carroll on May 11, 2003, 05:16:30 AM

I have seen a lot of errors in my log file looking for a file called default.ida.  I just created a blank file with that name in my primary html directory.  It no longer appears in my errors log.

You can probably do the same with the cmd.exe and other files it is looking for.  One way or the other, it will be logged, thereby making your log files bigger... :(

Tom