Re: (clug-talk) Help! IP-Cop Hacked?

Kevin Anderson Fri, 06 Jun 2003 20:41:10 -0700

This is all normal.  They are ATTEMPTS to attack a machine, and have been
blocked by IPcop.


Kev.


----- Original Message -----
From: "Jason Louie" <[EMAIL PROTECTED]>
To: "Clug Talk" <[EMAIL PROTECTED]>
Sent: Friday, June 06, 2003 5:35 PM
Subject: (clug-talk) Help! IP-Cop Hacked?


> It looks like my system is being hacked for the past 6 days.  But am I
> safe running a linux box?  Running Redhat 8.0 apache port forwarded.  A
> windows 2000 system not accessed to externally.  Running IP-Cop 1.3.0
> with full updates.
> Port 21, 80, 22 forwarded to my linux web-server.
>
> Seem like these people are running something to test my systems
> durability.  Can someone offer some suggestions?
>
> Jason
>
>
> Total of number of Intrusion rules activated for June 6: 73
> Date: 06/06 02:17:16 Name: WEB-IIS CodeRed v2 root.exe access
> Priority: 1 Type: Web Application Attack
> IP info: 68.113.xxx.xxx:1475 -> xxx.xxx.xxx.xxx:80
> References: none found SID: 1256
> Date: 06/06 02:17:17 Name: WEB-IIS CodeRed v2 root.exe access
> Priority: 1 Type: Web Application Attack
> IP info: 68.113.xxx.xxx:1494 -> xxx.xxx.xxx.xxx:80
> References: none found SID: 1256
> Date: 06/06 02:17:17 Name: WEB-IIS cmd.exe access
> Priority: 1 Type: Web Application Attack
> IP info: 68.113.xxx.xxx:1513 -> xxx.xxx.xxx.xxx:80
> References: none found SID: 1002
> Date: 06/06 02:17:17 Name: WEB-IIS cmd.exe access
> Priority: 1 Type: Web Application Attack
> IP info: 68.113.xxx.xxx:1523 -> xxx.xxx.xxx.xxx:80
> References: none found SID: 1002
> Date: 06/06 02:17:18 Name: WEB-IIS unicode directory traversal attempt
> Priority: 1 Type: Web Application Attack
> IP info: 68.113.xxx.xxx:1536 -> xxx.xxx.xxx.xxx:80
> References: none found SID: 1945
> Date: 06/06 02:17:18 Name: WEB-FRONTPAGE /_vti_bin/ access
> Priority: 2 Type: access to a potentially vulnerable web application
> IP info: 68.113.xxx.xxx:1554 -> xxx.xxx.xxx.xxx:80
> References: none found SID: 1288
> Date: 06/06 02:17:19 Name: WEB-IIS _mem_bin access
> Priority: 2 Type: access to a potentially vulnerable web application
> IP info: 68.113.xxx.xxx:1574 -> xxx.xxx.xxx.xxx:80
> References: none found SID: 1286
> Date: 06/06 02:17:19 Name: WEB-IIS unicode directory traversal attempt
> Priority: 1 Type: Web Application Attack
> IP info: 68.113.xxx.xxx:1586 -> xxx.xxx.xxx.xxx:80
> References: none found SID: 982
> Date: 06/06 02:17:41 Name: WEB-IIS unicode directory traversal attempt
> Priority: 1 Type: Web Application Attack
> IP info: 68.113.xxx.xxx:1598 -> xxx.xxx.xxx.xxx:80
> References: none found SID: 982
> Date: 06/06 02:17:41 Name: WEB-IIS cmd.exe access
> Priority: 1 Type: Web Application Attack
> IP info: 68.113.xxx.xxx:2233 -> xxx.xxx.xxx.xxx:80
> References: none found SID: 1002
> Date: 06/06 02:17:42 Name: WEB-IIS unicode directory traversal attempt
> Priority: 1 Type: Web Application Attack
> IP info: 68.113.xxx.xxx:2251 -> xxx.xxx.xxx.xxx:80
> References: none found SID: 981
> Date: 06/06 02:17:43 Name: WEB-IIS unicode directory traversal attempt
> Priority: 1 Type: Web Application Attack
> IP info: 68.113.xxx.xxx:2272 -> xxx.xxx.xxx.xxx:80
> References: none found SID: 983
> Date: 06/06 02:17:43 Name: WEB-IIS cmd.exe access
> Priority: 1 Type: Web Application Attack
> IP info: 68.113.xxx.xxx:2282 -> xxx.xxx.xxx.xxx:80
> References: none found SID: 1002
> Date: 06/06 02:17:44 Name: WEB-IIS cmd.exe access
> Priority: 1 Type: Web Application Attack
> IP info: 68.113.xxx.xxx:2308 -> xxx.xxx.xxx.xxx:80
> References: none found SID: 1002
> Date: 06/06 02:17:47 Name: WEB-IIS cmd.exe access
> Priority: 1 Type: Web Application Attack
> IP info: 68.113.xxx.xxx:2326 -> xxx.xxx.xxx.xxx:80
> References: none found SID: 1002
> Date: 06/06 02:17:48 Name: WEB-IIS cmd.exe access
> Priority: 1 Type: Web Application Attack
> IP info: 68.113.xxx.xxx:2406 -> xxx.xxx.xxx.xxx:80
> References: none found SID: 1002
> Date: 06/06 05:08:24 Name: WEB-IIS CodeRed v2 root.exe access
> Priority: 1 Type: Web Application Attack
> IP info: 68.48.xxx.xxx:2350 -> xxx.xxx.xxx.xxx:80
> References: none found SID: 1256
> Date: 06/06 05:08:25 Name: WEB-IIS CodeRed v2 root.exe access
> Priority: 1 Type: Web Application Attack
> IP info: 68.48.xxx.xxx:2372 -> xxx.xxx.xxx.xxx:80
> References: none found SID: 1256
> Date: 06/06 05:08:25 Name: WEB-IIS cmd.exe access
> Priority: 1 Type: Web Application Attack
> IP info: 68.48.xxx.xxx:2378 -> xxx.xxx.xxx.xxx:80
> References: none found SID: 1002
> Date: 06/06 05:08:26 Name: WEB-IIS cmd.exe access
> Priority: 1 Type: Web Application Attack
> IP info: 68.48.xxx.xxx:2386 -> xxx.xxx.xxx.xxx:80
> References: none found SID: 1002
> Date: 06/06 05:08:26 Name: WEB-IIS unicode directory traversal attempt
> Priority: 1 Type: Web Application Attack
> IP info: 68.48.xxx.xxx:2393 -> xxx.xxx.xxx.xxx:80
> References: none found SID: 1945
> Date: 06/06 05:08:29 Name: WEB-FRONTPAGE /_vti_bin/ access
> Priority: 2 Type: access to a potentially vulnerable web application
> IP info: 68.48.xxx.xxx:2416 -> xxx.xxx.xxx.xxx:80
> References: none found SID: 1288
> Date: 06/06 05:08:30 Name: WEB-IIS _mem_bin access
> Priority: 2 Type: access to a potentially vulnerable web application
> IP info: 68.48.xxx.xxx:2524 -> xxx.xxx.xxx.xxx:80
> References: none found SID: 1286
> Date: 06/06 05:08:30 Name: WEB-IIS unicode directory traversal attempt
> Priority: 1 Type: Web Application Attack
> IP info: 68.48.xxx.xxx:2527 -> xxx.xxx.xxx.xxx:80
> References: none found SID: 982
> Date: 06/06 05:08:30 Name: WEB-IIS unicode directory traversal attempt
> Priority: 1 Type: Web Application Attack
> IP info: 68.48.xxx.xxx:2533 -> xxx.xxx.xxx.xxx:80
> References: none found SID: 982
> Date: 06/06 05:08:30 Name: WEB-IIS cmd.exe access
> Priority: 1 Type: Web Application Attack
> IP info: 68.48.xxx.xxx:2539 -> xxx.xxx.xxx.xxx:80
> References: none found SID: 1002
> Date: 06/06 05:08:31 Name: WEB-IIS unicode directory traversal attempt
> Priority: 1 Type: Web Application Attack
> IP info: 68.48.xxx.xxx:2546 -> xxx.xxx.xxx.xxx:80
> References: none found SID: 981
> Date: 06/06 05:08:31 Name: WEB-IIS unicode directory traversal attempt
> Priority: 1 Type: Web Application Attack
> IP info: 68.48.xxx.xxx:2550 -> xxx.xxx.xxx.xxx:80
> References: none found SID: 983
> Date: 06/06 05:08:31 Name: WEB-IIS cmd.exe access
> Priority: 1 Type: Web Application Attack
> IP info: 68.48.xxx.xxx:2555 -> xxx.xxx.xxx.xxx:80
> References: none found SID: 1002
> Date: 06/06 05:08:31 Name: WEB-IIS cmd.exe access
> Priority: 1 Type: Web Application Attack
> IP info: 68.48.xxx.xxx:2561 -> xxx.xxx.xxx.xxx:80
> References: none found SID: 1002
> Date: 06/06 05:08:31 Name: WEB-IIS cmd.exe access
> Priority: 1 Type: Web Application Attack
> IP info: 68.48.xxx.xxx:2569 -> xxx.xxx.xxx.xxx:80
> References: none found SID: 1002
> Date: 06/06 05:08:32 Name: WEB-IIS cmd.exe access
> Priority: 1 Type: Web Application Attack
> IP info: 68.48.xxx.xxx:2576 -> xxx.xxx.xxx.xxx:80
> References: none found SID: 1002
> Date: 06/06 05:15:14 Name: MS-SQL Worm propagation attempt
> Priority: 2 Type: Misc Attack
> IP info: 66.111.41.xxx:1517 -> xxx.xxx.xxx.xxx:1434
> References: none found SID: 2003
> Date: 06/06 06:28:34 Name: SCAN SOCKS Proxy attempt
> Priority: 2 Type: Attempted Information Leak
> IP info: 200.157.xxx.xxx:55095 -> xxx.xxx.xxx.xxx:1080
> References: none found SID: 615
> Date: 06/06 06:28:34 Name: SCAN Squid Proxy attempt
> Priority: 2 Type: Attempted Information Leak
> IP info: 200.157.xxx.xxx:37028 -> xxx.xxx.xxx.xxx:3128
> *snip*
>
>

Re: (clug-talk) Help! IP-Cop Hacked?

Reply via email to