Re: (clug-talk) Help! IP-Cop Hacked?

Jason Louie Fri, 06 Jun 2003 17:45:25 -0700

Actually there is no access to my Win2000 computer from the outside. 
Port 80/21/22 goes to my linux WWW/FTP server, (Running RH8.0)  That
being said what expliots should I be worried about with my linux box?


Jason

[EMAIL PROTECTED] wrote:
> 
> First off it looks like a blanket scan to me, where they are scanning for
> possible exploits in windows' systems (IIS) and proxy servers. Most likely
> they have already identified your system as a windows machine running
> particular servers.
> 
> Secondly I would say that you should make sure you are running the most
> uptodate versions of the software you have running on the system (looks like
> ftp, www, ssh). This would help curve the possibility of exploitation. Since
> it's microsoft software, check windows update.
> 
> All that being said, why not just block the attackers IP on your IPCop
> Firewall?
> 
> Quoting Jason Louie <[EMAIL PROTECTED]>:
> 
> > It looks like my system is being hacked for the past 6 days.  But am I
> > safe running a linux box?  Running Redhat 8.0 apache port forwarded.  A
> > windows 2000 system not accessed to externally.  Running IP-Cop 1.3.0
> > with full updates.
> > Port 21, 80, 22 forwarded to my linux web-server.
> >
> > Seem like these people are running something to test my systems
> > durability.  Can someone offer some suggestions?
> >
> > Jason
> >
> >
> > Total of number of Intrusion rules activated for June 6: 73
> > Date: 06/06 02:17:16  Name:   WEB-IIS CodeRed v2 root.exe access
> > Priority:     1       Type:   Web Application Attack
> > IP info:      68.113.xxx.xxx:1475 -> xxx.xxx.xxx.xxx:80
> > References:   none found      SID:    1256
> > Date: 06/06 02:17:17  Name:   WEB-IIS CodeRed v2 root.exe access
> > Priority:     1       Type:   Web Application Attack
> > IP info:      68.113.xxx.xxx:1494 -> xxx.xxx.xxx.xxx:80
> > References:   none found      SID:    1256
> > Date: 06/06 02:17:17  Name:   WEB-IIS cmd.exe access
> > Priority:     1       Type:   Web Application Attack
> > IP info:      68.113.xxx.xxx:1513 -> xxx.xxx.xxx.xxx:80
> > References:   none found      SID:    1002
> > Date: 06/06 02:17:17  Name:   WEB-IIS cmd.exe access
> > Priority:     1       Type:   Web Application Attack
> > IP info:      68.113.xxx.xxx:1523 -> xxx.xxx.xxx.xxx:80
> > References:   none found      SID:    1002
> > Date: 06/06 02:17:18  Name:   WEB-IIS unicode directory traversal attempt
> > Priority:     1       Type:   Web Application Attack
> > IP info:      68.113.xxx.xxx:1536 -> xxx.xxx.xxx.xxx:80
> > References:   none found      SID:    1945
> > Date: 06/06 02:17:18  Name:   WEB-FRONTPAGE /_vti_bin/ access
> > Priority:     2       Type:   access to a potentially vulnerable web
> application
> > IP info:      68.113.xxx.xxx:1554 -> xxx.xxx.xxx.xxx:80
> > References:   none found      SID:    1288
> > Date: 06/06 02:17:19  Name:   WEB-IIS _mem_bin access
> > Priority:     2       Type:   access to a potentially vulnerable web
> application
> > IP info:      68.113.xxx.xxx:1574 -> xxx.xxx.xxx.xxx:80
> > References:   none found      SID:    1286
> > Date: 06/06 02:17:19  Name:   WEB-IIS unicode directory traversal attempt
> > Priority:     1       Type:   Web Application Attack
> > IP info:      68.113.xxx.xxx:1586 -> xxx.xxx.xxx.xxx:80
> > References:   none found      SID:    982
> > Date: 06/06 02:17:41  Name:   WEB-IIS unicode directory traversal attempt
> > Priority:     1       Type:   Web Application Attack
> > IP info:      68.113.xxx.xxx:1598 -> xxx.xxx.xxx.xxx:80
> > References:   none found      SID:    982
> > Date: 06/06 02:17:41  Name:   WEB-IIS cmd.exe access
> > Priority:     1       Type:   Web Application Attack
> > IP info:      68.113.xxx.xxx:2233 -> xxx.xxx.xxx.xxx:80
> > References:   none found      SID:    1002
> > Date: 06/06 02:17:42  Name:   WEB-IIS unicode directory traversal attempt
> > Priority:     1       Type:   Web Application Attack
> > IP info:      68.113.xxx.xxx:2251 -> xxx.xxx.xxx.xxx:80
> > References:   none found      SID:    981
> > Date: 06/06 02:17:43  Name:   WEB-IIS unicode directory traversal attempt
> > Priority:     1       Type:   Web Application Attack
> > IP info:      68.113.xxx.xxx:2272 -> xxx.xxx.xxx.xxx:80
> > References:   none found      SID:    983
> > Date: 06/06 02:17:43  Name:   WEB-IIS cmd.exe access
> > Priority:     1       Type:   Web Application Attack
> > IP info:      68.113.xxx.xxx:2282 -> xxx.xxx.xxx.xxx:80
> > References:   none found      SID:    1002
> > Date: 06/06 02:17:44  Name:   WEB-IIS cmd.exe access
> > Priority:     1       Type:   Web Application Attack
> > IP info:      68.113.xxx.xxx:2308 -> xxx.xxx.xxx.xxx:80
> > References:   none found      SID:    1002
> > Date: 06/06 02:17:47  Name:   WEB-IIS cmd.exe access
> > Priority:     1       Type:   Web Application Attack
> > IP info:      68.113.xxx.xxx:2326 -> xxx.xxx.xxx.xxx:80
> > References:   none found      SID:    1002
> > Date: 06/06 02:17:48  Name:   WEB-IIS cmd.exe access
> > Priority:     1       Type:   Web Application Attack
> > IP info:      68.113.xxx.xxx:2406 -> xxx.xxx.xxx.xxx:80
> > References:   none found      SID:    1002
> > Date: 06/06 05:08:24  Name:   WEB-IIS CodeRed v2 root.exe access
> > Priority:     1       Type:   Web Application Attack
> > IP info:      68.48.xxx.xxx:2350 -> xxx.xxx.xxx.xxx:80
> > References:   none found      SID:    1256
> > Date: 06/06 05:08:25  Name:   WEB-IIS CodeRed v2 root.exe access
> > Priority:     1       Type:   Web Application Attack
> > IP info:      68.48.xxx.xxx:2372 -> xxx.xxx.xxx.xxx:80
> > References:   none found      SID:    1256
> > Date: 06/06 05:08:25  Name:   WEB-IIS cmd.exe access
> > Priority:     1       Type:   Web Application Attack
> > IP info:      68.48.xxx.xxx:2378 -> xxx.xxx.xxx.xxx:80
> > References:   none found      SID:    1002
> > Date: 06/06 05:08:26  Name:   WEB-IIS cmd.exe access
> > Priority:     1       Type:   Web Application Attack
> > IP info:      68.48.xxx.xxx:2386 -> xxx.xxx.xxx.xxx:80
> > References:   none found      SID:    1002
> > Date: 06/06 05:08:26  Name:   WEB-IIS unicode directory traversal attempt
> > Priority:     1       Type:   Web Application Attack
> > IP info:      68.48.xxx.xxx:2393 -> xxx.xxx.xxx.xxx:80
> > References:   none found      SID:    1945
> > Date: 06/06 05:08:29  Name:   WEB-FRONTPAGE /_vti_bin/ access
> > Priority:     2       Type:   access to a potentially vulnerable web
> application
> > IP info:      68.48.xxx.xxx:2416 -> xxx.xxx.xxx.xxx:80
> > References:   none found      SID:    1288
> > Date: 06/06 05:08:30  Name:   WEB-IIS _mem_bin access
> > Priority:     2       Type:   access to a potentially vulnerable web
> application
> > IP info:      68.48.xxx.xxx:2524 -> xxx.xxx.xxx.xxx:80
> > References:   none found      SID:    1286
> > Date: 06/06 05:08:30  Name:   WEB-IIS unicode directory traversal attempt
> > Priority:     1       Type:   Web Application Attack
> > IP info:      68.48.xxx.xxx:2527 -> xxx.xxx.xxx.xxx:80
> > References:   none found      SID:    982
> > Date: 06/06 05:08:30  Name:   WEB-IIS unicode directory traversal attempt
> > Priority:     1       Type:   Web Application Attack
> > IP info:      68.48.xxx.xxx:2533 -> xxx.xxx.xxx.xxx:80
> > References:   none found      SID:    982
> > Date: 06/06 05:08:30  Name:   WEB-IIS cmd.exe access
> > Priority:     1       Type:   Web Application Attack
> > IP info:      68.48.xxx.xxx:2539 -> xxx.xxx.xxx.xxx:80
> > References:   none found      SID:    1002
> > Date: 06/06 05:08:31  Name:   WEB-IIS unicode directory traversal attempt
> > Priority:     1       Type:   Web Application Attack
> > IP info:      68.48.xxx.xxx:2546 -> xxx.xxx.xxx.xxx:80
> > References:   none found      SID:    981
> > Date: 06/06 05:08:31  Name:   WEB-IIS unicode directory traversal attempt
> > Priority:     1       Type:   Web Application Attack
> > IP info:      68.48.xxx.xxx:2550 -> xxx.xxx.xxx.xxx:80
> > References:   none found      SID:    983
> > Date: 06/06 05:08:31  Name:   WEB-IIS cmd.exe access
> > Priority:     1       Type:   Web Application Attack
> > IP info:      68.48.xxx.xxx:2555 -> xxx.xxx.xxx.xxx:80
> > References:   none found      SID:    1002
> > Date: 06/06 05:08:31  Name:   WEB-IIS cmd.exe access
> > Priority:     1       Type:   Web Application Attack
> > IP info:      68.48.xxx.xxx:2561 -> xxx.xxx.xxx.xxx:80
> > References:   none found      SID:    1002
> > Date: 06/06 05:08:31  Name:   WEB-IIS cmd.exe access
> > Priority:     1       Type:   Web Application Attack
> > IP info:      68.48.xxx.xxx:2569 -> xxx.xxx.xxx.xxx:80
> > References:   none found      SID:    1002
> > Date: 06/06 05:08:32  Name:   WEB-IIS cmd.exe access
> > Priority:     1       Type:   Web Application Attack
> > IP info:      68.48.xxx.xxx:2576 -> xxx.xxx.xxx.xxx:80
> > References:   none found      SID:    1002
> > Date: 06/06 05:15:14  Name:   MS-SQL Worm propagation attempt
> > Priority:     2       Type:   Misc Attack
> > IP info:      66.111.41.xxx:1517 -> xxx.xxx.xxx.xxx:1434
> > References:   none found      SID:    2003
> > Date: 06/06 06:28:34  Name:   SCAN SOCKS Proxy attempt
> > Priority:     2       Type:   Attempted Information Leak
> > IP info:      200.157.xxx.xxx:55095 -> xxx.xxx.xxx.xxx:1080
> > References:   none found      SID:    615
> > Date: 06/06 06:28:34  Name:   SCAN Squid Proxy attempt
> > Priority:     2       Type:   Attempted Information Leak
> > IP info:      200.157.xxx.xxx:37028 -> xxx.xxx.xxx.xxx:3128
> > *snip*
> >

Re: (clug-talk) Help! IP-Cop Hacked?

Reply via email to