Lame hack attempt

Lame hack attempt

Post by Bill Pa » Sat, 02 Jun 2001 12:44:48



I found these entries in my Apache logs this evening:

inktomi1-bel.server.ntl.com - - [31/May/2001:11:37:47 -0700] "GET
/scripts/..******../winnt/system32/cmd.exe HTTP/1.0" 404 304 "-" "Mozilla/4.0
(compatiable; MSIE 5.5; Windows 98)"

24.66.19.44.on.wave.home.com - - [31/May/2001:15:00:20 -0700] "GET
/scripts/..***************************
**************************/winnt/system32/cmd.exe?/c%20dir" 404 - "-" "-"

Probably just some script kiddie, but I was just wondering if this was a
common attack. I assume this person(s) to be a real amatuer since he couldn't
even figure out I'm not running a Windows box.
(I replaced certain characters he used with "***", just so I don't breed more
script kiddies here)
-BP

Cables/Surplus/Hardware/Electronics ---> http://www.kf6bbl.com

 
 
 

Lame hack attempt

Post by Gus » Sat, 02 Jun 2001 21:03:59



> Probably just some script kiddie, but I was just wondering if this was a
> common attack.

Fairly. I see it about several times a day accross our hosts/vhosts.

Quote:> I assume this person(s) to be a real amatuer since he couldn't
> even figure out I'm not running a Windows box.

It's more that most ppl are using bulk scanners which don't bother to
check OS version before trying the exploit.

--

0x58E18C6D
82 AA 4D 7F D8 45 58 05  6D 1B 1A 72 1E DB 31 B5
http://black.hole-in-the.net/gus/

 
 
 

Lame hack attempt

Post by Stev » Mon, 04 Jun 2001 23:47:37




Quote:>I found these entries in my Apache logs this evening:

>inktomi1-bel.server.ntl.com - - [31/May/2001:11:37:47 -0700] "GET
>/scripts/..******../winnt/system32/cmd.exe HTTP/1.0" 404 304 "-" "Mozilla/4.0
>(compatiable; MSIE 5.5; Windows 98)"

>24.66.19.44.on.wave.home.com - - [31/May/2001:15:00:20 -0700] "GET
>/scripts/..***************************
>**************************/winnt/system32/cmd.exe?/c%20dir" 404 - "-" "-"

>Probably just some script kiddie, but I was just wondering if this was a
>common attack. I assume this person(s) to be a real amatuer since he couldn't
>even figure out I'm not running a Windows box.
>(I replaced certain characters he used with "***", just so I don't breed more
>script kiddies here)
>-BP

>Cables/Surplus/Hardware/Electronics ---> http://www.kf6bbl.com

Interesting coincidence: I've gotten 3 visits from the same 2 script

Never saw this one in the logs before last week.

The inktomi ip appears to be a dial-up in Ireland from a UK isp. But


Steve

 
 
 

Lame hack attempt

Post by jabhosting.co.u » Sun, 10 Jun 2001 23:15:08


It's pretty common in my logs. Like Gus said probably bulk scanning or some
kiddie just bought  his first hacking book.

--
Ben Boulton
Systems Administrator
http://www.jabhosting.co.uk
Linux based web-site hosting.



> > Probably just some script kiddie, but I was just wondering if this was a
> > common attack.

> Fairly. I see it about several times a day accross our hosts/vhosts.

> > I assume this person(s) to be a real amatuer since he couldn't
> > even figure out I'm not running a Windows box.

> It's more that most ppl are using bulk scanners which don't bother to
> check OS version before trying the exploit.

> --

> 0x58E18C6D
> 82 AA 4D 7F D8 45 58 05  6D 1B 1A 72 1E DB 31 B5
> http://black.hole-in-the.net/gus/

 
 
 

1. Apache - Attempt hack attempt?

On one of our Apache WWW servers, we have started to notice lot of
activity where people are starting to access URLs in a strange manner.

For example:

        Normal URL:
                /blah/foo/bar.html

        What they are calling:
                /blah/../foo/../foo/../foo/bar.html

This has been happening from a number of different sites (some of which
are AOL), and I assume they are attempting to hack the site in some
manner (like it is possible to do on NT WWW servers) as this goes on for
up to 5 hours from a single user, calling 1 URL per second.

Is there any way to prevent knobheads like this doing such a thing?
And what are they trying to achieve??

Thanks.
Richard

--
-----------------------------------------------------------------

Beam Software         +61-3-9866-8300 x212      ICQ Pager:1231216
-----------------------------------------------------------------

2. logitech keyboard and deadkeys with xfree86-4.2 ?

3. Possible Hack Attempt?

4. where is top?

5. Hack Attempt Foiled by Linux Box??

6. Root lost the passwd

7. Hack attempt? /_vti_bin/_vti_aut/fp30reg.dll

8. EQL

9. Hack-attempt

10. Apache log entries - hack attempt ?

11. Logging hack attempts

12. howto determine souce of hack attempt

13. Monitor hack attempts???