Jason, These are typical of the logs you will see daily. You have not been hacked, just probed. Had you been running a naked win2k box you would have been owned big time. As it is feel lucky your cop box is there..
Dan.. ----- Original Message ----- From: Jason Louie <[EMAIL PROTECTED]> Date: Friday, June 6, 2003 5:35 pm Subject: (clug-talk) Help! IP-Cop Hacked? > It looks like my system is being hacked for the past 6 days. But > am I > safe running a linux box? Running Redhat 8.0 apache port > forwarded. A > windows 2000 system not accessed to externally. Running IP-Cop 1.3.0 > with full updates. > Port 21, 80, 22 forwarded to my linux web-server. > > Seem like these people are running something to test my systems > durability. Can someone offer some suggestions? > > Jason > > > Total of number of Intrusion rules activated for June 6: 73 > Date: 06/06 02:17:16 Name: WEB-IIS CodeRed v2 root.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.113.xxx.xxx:1475 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1256 > Date: 06/06 02:17:17 Name: WEB-IIS CodeRed v2 root.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.113.xxx.xxx:1494 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1256 > Date: 06/06 02:17:17 Name: WEB-IIS cmd.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.113.xxx.xxx:1513 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1002 > Date: 06/06 02:17:17 Name: WEB-IIS cmd.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.113.xxx.xxx:1523 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1002 > Date: 06/06 02:17:18 Name: WEB-IIS unicode directory traversal > attemptPriority: 1 Type: Web Application Attack > IP info: 68.113.xxx.xxx:1536 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1945 > Date: 06/06 02:17:18 Name: WEB-FRONTPAGE /_vti_bin/ access > Priority: 2 Type: access to a potentially vulnerable web application > IP info: 68.113.xxx.xxx:1554 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1288 > Date: 06/06 02:17:19 Name: WEB-IIS _mem_bin access > Priority: 2 Type: access to a potentially vulnerable web application > IP info: 68.113.xxx.xxx:1574 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1286 > Date: 06/06 02:17:19 Name: WEB-IIS unicode directory traversal > attemptPriority: 1 Type: Web Application Attack > IP info: 68.113.xxx.xxx:1586 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 982 > Date: 06/06 02:17:41 Name: WEB-IIS unicode directory traversal > attemptPriority: 1 Type: Web Application Attack > IP info: 68.113.xxx.xxx:1598 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 982 > Date: 06/06 02:17:41 Name: WEB-IIS cmd.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.113.xxx.xxx:2233 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1002 > Date: 06/06 02:17:42 Name: WEB-IIS unicode directory traversal > attemptPriority: 1 Type: Web Application Attack > IP info: 68.113.xxx.xxx:2251 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 981 > Date: 06/06 02:17:43 Name: WEB-IIS unicode directory traversal > attemptPriority: 1 Type: Web Application Attack > IP info: 68.113.xxx.xxx:2272 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 983 > Date: 06/06 02:17:43 Name: WEB-IIS cmd.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.113.xxx.xxx:2282 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1002 > Date: 06/06 02:17:44 Name: WEB-IIS cmd.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.113.xxx.xxx:2308 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1002 > Date: 06/06 02:17:47 Name: WEB-IIS cmd.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.113.xxx.xxx:2326 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1002 > Date: 06/06 02:17:48 Name: WEB-IIS cmd.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.113.xxx.xxx:2406 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1002 > Date: 06/06 05:08:24 Name: WEB-IIS CodeRed v2 root.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.48.xxx.xxx:2350 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1256 > Date: 06/06 05:08:25 Name: WEB-IIS CodeRed v2 root.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.48.xxx.xxx:2372 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1256 > Date: 06/06 05:08:25 Name: WEB-IIS cmd.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.48.xxx.xxx:2378 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1002 > Date: 06/06 05:08:26 Name: WEB-IIS cmd.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.48.xxx.xxx:2386 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1002 > Date: 06/06 05:08:26 Name: WEB-IIS unicode directory traversal > attemptPriority: 1 Type: Web Application Attack > IP info: 68.48.xxx.xxx:2393 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1945 > Date: 06/06 05:08:29 Name: WEB-FRONTPAGE /_vti_bin/ access > Priority: 2 Type: access to a potentially vulnerable web application > IP info: 68.48.xxx.xxx:2416 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1288 > Date: 06/06 05:08:30 Name: WEB-IIS _mem_bin access > Priority: 2 Type: access to a potentially vulnerable web application > IP info: 68.48.xxx.xxx:2524 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1286 > Date: 06/06 05:08:30 Name: WEB-IIS unicode directory traversal > attemptPriority: 1 Type: Web Application Attack > IP info: 68.48.xxx.xxx:2527 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 982 > Date: 06/06 05:08:30 Name: WEB-IIS unicode directory traversal > attemptPriority: 1 Type: Web Application Attack > IP info: 68.48.xxx.xxx:2533 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 982 > Date: 06/06 05:08:30 Name: WEB-IIS cmd.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.48.xxx.xxx:2539 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1002 > Date: 06/06 05:08:31 Name: WEB-IIS unicode directory traversal > attemptPriority: 1 Type: Web Application Attack > IP info: 68.48.xxx.xxx:2546 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 981 > Date: 06/06 05:08:31 Name: WEB-IIS unicode directory traversal > attemptPriority: 1 Type: Web Application Attack > IP info: 68.48.xxx.xxx:2550 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 983 > Date: 06/06 05:08:31 Name: WEB-IIS cmd.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.48.xxx.xxx:2555 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1002 > Date: 06/06 05:08:31 Name: WEB-IIS cmd.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.48.xxx.xxx:2561 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1002 > Date: 06/06 05:08:31 Name: WEB-IIS cmd.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.48.xxx.xxx:2569 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1002 > Date: 06/06 05:08:32 Name: WEB-IIS cmd.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.48.xxx.xxx:2576 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1002 > Date: 06/06 05:15:14 Name: MS-SQL Worm propagation attempt > Priority: 2 Type: Misc Attack > IP info: 66.111.41.xxx:1517 -> xxx.xxx.xxx.xxx:1434 > References: none found SID: 2003 > Date: 06/06 06:28:34 Name: SCAN SOCKS Proxy attempt > Priority: 2 Type: Attempted Information Leak > IP info: 200.157.xxx.xxx:55095 -> xxx.xxx.xxx.xxx:1080 > References: none found SID: 615 > Date: 06/06 06:28:34 Name: SCAN Squid Proxy attempt > Priority: 2 Type: Attempted Information Leak > IP info: 200.157.xxx.xxx:37028 -> xxx.xxx.xxx.xxx:3128 > *snip* >
