Announcement

Collapse
No announcement yet.

Hack Attempt?

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
    #1

    Hack Attempt?

    Is this a hack attempt from someone on the 'outside' ? I tried to lookup the IP address but nothing came back. This is the first and only time I have seen this.
    <pre class="ip-ubbcode-code-pre">
    5/2/2004 9:25:05 AM~!~Info~!~ Got data but was not PUT or GET, from: 202.99.244.36 Data: get /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c 0%af/winnt/system32/cmd.exe?/c%20dir

    </pre>
    Tags: None
    #2
    It looks like one of the web server virus trying to get to your site to run some command lines. However, it doesn't seem to be successful.

    Are you running your HS web on port 80? I used to get those a lot. I don't think it's anyone trying to hack to your site, it's probably someone else got hit with the virus and scanning computers for more infection.

    Simon

    Comment

      #3
      I must say, it does look suspicious. They are trying to get something to execute through the command prompt. Probably a virus probing you.

      FYI the IP is registered to the CNCGroup CHINA
      Jon

      Comment

        #4
        It's the "Directory Traversal Exploit".

        IIS had a bug that allowed a URL to "break-out" of your published web directory structure and navigate to the root directory of the IIS computer. The repeated "..%c0%af" portion would progressively work back to the root directory from your /scripts/ directory, where the "/winnt/system32/cmd.exe?/c%20dir" portion would execute a "dir" command. If your system responded to the 'dir', the probe would know that it found a vulnerable machine, and would follow-up with additional lines that would copy the worm into your machine and execute it.

        I get about a dozen of these a week. You only need to worry if you are running IIS.

        Comment

          #5
          .. that is what I figured. Too bad I couldn't feed them back a nice destructive virus.

          I wasn't really worried as my firewall protects me pretty good...

          Comment

            #6
            Rocco,
            What if we are running IIS?
            💁‍♂️ Support & Customer Service 🙋‍♂️ Sales Questions 🛒 Shop HomeSeer Products

            Comment

              #7
              You only need to worry if you are running an UNPATCHED IIS without URLSCAN.
              |
              | - Gordon

              "I'm a Man, but I can change, if I have to, I guess." - Man's Prayer, Possum Lodge, The Red Green Show
              HiddenGemStudio.com - MaineMusicians.org - CunninghamCreativeMaine.website

              Comment

                #8
                Gordon,
                Concerning the IIS lockdown tool, can this be run on XP? The link I found points to Windows 2000 server.
                💁‍♂️ Support & Customer Service 🙋‍♂️ Sales Questions 🛒 Shop HomeSeer Products

                Comment

                  #9
                  Yes, just seperate out the URLScan from the Lockdown tool and run it seperately. Unpack the lockdown tool to a directory (technet has instructions on how to do it) and run urlscan.

                  Comment

                  Previous template Next
                  Working...
                  X