Am I attacked by hacker?

Am I attacked by hacker?

Post by Maryanne Cheun » Mon, 20 Aug 2001 12:49:46



I have the following event logged:

61.156.xx.xx- - [18/Aug/2001:21:11:35 -0500] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 404 283 "-" "-"

Does this indicate an attack?

Thanks for input,

 
 
 

Am I attacked by hacker?

Post by Black Drag » Mon, 20 Aug 2001 13:28:55


On Sat, 18 Aug 2001 22:49:46 -0500 in comp.os.linux.networking,

: I have the following event logged:
:
: 61.156.xx.xx- - [18/Aug/2001:21:11:35 -0500] "GET
: /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
: XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
: u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
: HTTP/1.0" 404 283 "-" "-"
:
: Does this indicate an attack?

If you are running a vulnerable Microsoft IIS server on NT4 or W2K,
yes, that's from the CodeRed worm looking for another server to
exploit.

I've got some 1500 of these in my logs per week the past few weeks.
The whole internet has been flooded with it. It does seem to be
quieting down though.

See also:

<URL:http://news.cnet.com/news/0-1003-201-6741564-0.html>

--
Black Dragon

That which does not kill us, makes us stranger.
-- Trevor Goodchild - AEon Flux

 
 
 

Am I attacked by hacker?

Post by Maryanne Cheun » Mon, 20 Aug 2001 13:36:43


Fortunately, I am running RH7.1 but concerned that the virus may use my
machine as a base to attack other hosts, can I get rid of this anyway?
Quote:> If you are running a vulnerable Microsoft IIS server on NT4 or W2K,
> yes, that's from the CodeRed worm looking for another server to
> exploit.

> I've got some 1500 of these in my logs per week the past few weeks.
> The whole internet has been flooded with it. It does seem to be
> quieting down though.

> See also:

> <URL:http://news.cnet.com/news/0-1003-201-6741564-0.html>

> --
> Black Dragon

> That which does not kill us, makes us stranger.
> -- Trevor Goodchild - AEon Flux

 
 
 

Am I attacked by hacker?

Post by Stev » Mon, 20 Aug 2001 13:41:27



> I have the following event logged:

> 61.156.xx.xx- - [18/Aug/2001:21:11:35 -0500] "GET
> /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
> u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
> HTTP/1.0" 404 283 "-" "-"

> Does this indicate an attack?

> Thanks for input,

It's the Red Worm, attacks only MIIS, if you're using Apache you're ok.

--
Steve - ICQ 35454764
Powered by GNU/Linux kernel 2.4.3

 
 
 

Am I attacked by hacker?

Post by Doug. » Mon, 20 Aug 2001 14:08:52


Don't worry this thing only effects Wind*machines not Linux boxes.


> Fortunately, I am running RH7.1 but concerned that the virus may use my
> machine as a base to attack other hosts, can I get rid of this anyway?

>> If you are running a vulnerable Microsoft IIS server on NT4 or W2K,
>> yes, that's from the CodeRed worm looking for another server to
>> exploit.

>> I've got some 1500 of these in my logs per week the past few weeks.
>> The whole internet has been flooded with it. It does seem to be
>> quieting down though.

>> See also:

>> <URL:http://www.veryComputer.com/;

>> --
>> Black Dragon

>> That which does not kill us, makes us stranger.
>> -- Trevor Goodchild - AEon Flux

 
 
 

Am I attacked by hacker?

Post by r0gu » Mon, 20 Aug 2001 14:38:14




> Fortunately, I am running RH7.1 but concerned that the virus may use my
> machine as a base to attack other hosts, can I get rid of this anyway?

>> If you are running a vulnerable Microsoft IIS server on NT4 or W2K,
>> yes, that's from the CodeRed worm looking for another server to
>> exploit.

>> I've got some 1500 of these in my logs per week the past few weeks. The
>> whole internet has been flooded with it. It does seem to be quieting
>> down though.

>> See also:

>> <URL:http://news.cnet.com/news/0-1003-201-6741564-0.html>

>> --
>> Black Dragon

>> That which does not kill us, makes us stranger.
>> -- Trevor Goodchild - AEon Flux

the exploit does not affect linux, but is a log filler.  Apache will send
a 404 response, and that the end of it as far as the infected server contacting
you is concerned.  If you want, you can use a packet filter and just drop
any Get calls to .ida.
 
 
 

Am I attacked by hacker?

Post by enkid » Mon, 20 Aug 2001 14:49:27



> the exploit does not affect linux, but is a log filler.
> Apache will send a 404 response, and that the end of
> it as far as the infected server contacting you is
> concerned.  If you want, you can use a packet filter
> and just drop any Get calls to .ida.

Mmm, what about this, from my apache logs? Note the
response code! I don't have a /default.ida.

Quote:>203.79.248.155 - - [09/Aug/2001:02:43:26 +1200] "GET /default.ida?
>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>XXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucb
>d3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b
>00%u 531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 200 -

Cheers,

Cliff

 
 
 

Am I attacked by hacker?

Post by enkid » Mon, 20 Aug 2001 14:50:34



> Fortunately, I am running RH7.1 but concerned that the
> virus may use my machine as a base to attack other hosts,
> can I get rid of this anyway?

They are incoming packets so you can't stop them.

Cheers,

Cliff

 
 
 

Am I attacked by hacker?

Post by r0gu » Mon, 20 Aug 2001 15:03:14





>> the exploit does not affect linux, but is a log filler.  Apache will
>> send a 404 response, and that the end of it as far as the infected
>> server contacting you is concerned.  If you want, you can use a packet
>> filter and just drop any Get calls to .ida.

> Mmm, what about this, from my apache logs? Note the response code! I
> don't have a /default.ida.

>>203.79.248.155 - - [09/Aug/2001:02:43:26 +1200] "GET /default.ida?
>>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>>XXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucb
>>d3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b
>>00%u 531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 200 -

> Cheers,

> Cliff

That is odd.  In my logs, out of 971 code red log entries, 957 of them are 404
response, 14 are 400 response.  The 400 response are only on
code red I  (NNNN), the rest are code red 2 (XXX)
 
 
 

Am I attacked by hacker?

Post by Andrzej Popielewic » Mon, 20 Aug 2001 18:48:26


You could find out , who is attacking You and simply inform the
corresponding administrator , that one of his computer is infected with
CodeRed . I have informed already about 10 sites.
In this way You could help to diminish the slowing down of the Internet
traffic. Not only IIS is vulnerable to this threat. Some Unix www servers
too as recently reported (one of the CNN or ZDNET links). If You are
interested simply search for CodeRed in yahoo.

Regards
Andrzej Popielewicz
www.landibase.com



Quote:> I have the following event logged:

> 61.156.xx.xx- - [18/Aug/2001:21:11:35 -0500] "GET

/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
Quote:> u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
> HTTP/1.0" 404 283 "-" "-"

> Does this indicate an attack?

> Thanks for input,

 
 
 

Am I attacked by hacker?

Post by Robert Kieslin » Mon, 20 Aug 2001 22:30:06




> > Fortunately, I am running RH7.1 but concerned that the
> > virus may use my machine as a base to attack other hosts,
> > can I get rid of this anyway?

> They are incoming packets so you can't stop them.

The httpd.conf file contains examples of how to redirect
incoming IP packets with the Deny and ErrorDocument
directives.  

--
Robert Kiesling
Linux FAQ Maintainer
http://www.mainmatter.com/kiesling/
http://www.mainmatter.com/linux-faq/toc.html  http://www.mainmatter.com/
---

 
 
 

Am I attacked by hacker?

Post by mark mort » Tue, 21 Aug 2001 14:14:52


MISS, ha ha <G>

Apache rules! :-)

just shows how nice the M stuff is. ;-) hehe

Run Linux/Unix, be happy :-)


> Don't worry this thing only effects Wind*machines not Linux boxes.


> > Fortunately, I am running RH7.1 but concerned that the virus may use my
> > machine as a base to attack other hosts, can I get rid of this anyway?

> >> If you are running a vulnerable Microsoft IIS server on NT4 or W2K,
> >> yes, that's from the CodeRed worm looking for another server to
> >> exploit.

> >> I've got some 1500 of these in my logs per week the past few weeks.
> >> The whole internet has been flooded with it. It does seem to be
> >> quieting down though.

> >> See also:

> >> <URL:http://www.veryComputer.com/;

> >> --
> >> Black Dragon

> >> That which does not kill us, makes us stranger.
> >> -- Trevor Goodchild - AEon Flux

 
 
 

Am I attacked by hacker?

Post by Dean Thompso » Tue, 21 Aug 2001 20:16:48


Hi,

Quote:> I have the following event logged:

> 61.156.xx.xx- - [18/Aug/2001:21:11:35 -0500] "GET
> /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 404 283 "-" "-"

Quote:

> Does this indicate an attack?

This is just the Code Red virus looking around for other IIS servers to
infect.  I take it that you are running Apache which means that you are safe
from this virus threat.

See ya

Dean Thompson

--
+____________________________+____________________________________________+

| Bach. Computing (Hons)     | ICQ     - 45191180                         |
| PhD Student                | Office  - <Off-Campus>                     |
| School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)    |
| MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077                  |
| Melbourne, Australia       |                                            |
+----------------------------+--------------------------------------------+

 
 
 

Am I attacked by hacker?

Post by Bill Unr » Wed, 29 Aug 2001 22:58:40



]I have the following event logged:

]61.156.xx.xx- - [18/Aug/2001:21:11:35 -0500] "GET
]/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
]XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
]XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
]XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
]u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
]HTTP/1.0" 404 283 "-" "-"

]Does this indicate an attack?

It is the code red II worm youmay have read about. It only successfully
attacks MSsystems.

 
 
 

Am I attacked by hacker?

Post by Bill Unr » Wed, 29 Aug 2001 23:00:12



]Fortunately, I am running RH7.1 but concerned that the virus may use my
]machine as a base to attack other hosts, can I get rid of this anyway?
There is nothing to get rid of. The log indicate and attempted attack,
which failed. That is the end of the story. It can do no harm on a
non-MS system.

]> If you are running a vulnerable Microsoft IIS server on NT4 or W2K,
]> yes, that's from the CodeRed worm looking for another server to
]> exploit.
]>

 
 
 

1. Am I attacked by hackers?

Hi there!

Today I read this line from my /etc/httpd/log/access.log:
62.226.214.x - - [15/Sep/2001:22:39:24 -0500] "GET
/scripts/..%C0%AF../winnt/system32/cmd.exe?/c+dir+C:%5C HTTP/1.0" 404 309
"-" "libwww-perl/5.48"

Does this indicate an attack?

BTW I am running RH7.1 httpd.

Thank for input,

Jindan

2. How do I stop banner page printing on an HP?

3. CAUTION: I am under attack from an incompetent hacker probably in germany

4. HELP: Travan Tape no longer works...

5. Fave Unix Hacker Attacks

6. Doing backups larger than the DLT tapes

7. Hacker Attack!!!

8. Sysback install fails!

9. European hacker attacks becoming rampant?

10. Hacker attack Linux?

11. Hacker-Attack - Blocked Attempt

12. hacker help- BIND buffer overflow attack

13. Help - hacker attack