looks like script kiddie tried to get me
bsd 4.9, apache 1.3 my postnuke started emailing me with hack attempts. i look at my log and find about a half a meg of where it looks like a script kiddie tried to poke in the dark at this site. the hits are WAY too close together to be manual, here is a snip from the log 24.54.157.86 - - [17/Nov/2004:01:00:29 -0500] GET /etc/ HTTP/1.1 404 288 - Mozilla/4.75 [en] (X11, U; Nessus) 24.54.157.86 - - [17/Nov/2004:01:00:29 -0500] GET /example/ HTTP/1.1 404 292 - Mozilla/4.75 [en] (X11, U; Nessus) 24.54.157.86 - - [17/Nov/2004:01:00:30 -0500] GET /examples/ HTTP/1.1 404 293 - Mozilla/4.75 [en] (X11, U; Nessus) 24.54.157.86 - - [17/Nov/2004:01:00:30 -0500] GET /exc/ HTTP/1.1 404 288 - Mozilla/4.75 [en] (X11, U; Nessus) 24.54.157.86 - - [17/Nov/2004:01:00:30 -0500] GET /excel/ HTTP/1.1 404 290 - Mozilla/4.75 [en] (X11, U; Nessus) 24.54.157.86 - - [17/Nov/2004:01:00:30 -0500] GET /exchange/ HTTP/1.1 404 293 - Mozilla/4.75 [en] (X11, U; Nessus) 24.54.157.86 - - [17/Nov/2004:01:00:30 -0500] GET /exe/ HTTP/1.1 404 288 - Mozilla/4.75 [en] (X11, U; Nessus) 24.54.157.86 - - [17/Nov/2004:01:00:31 -0500] GET /exec/ HTTP/1.1 404 289 - Mozilla/4.75 [en] (X11, U; Nessus) 24.54.157.86 - - [17/Nov/2004:01:00:31 -0500] GET /export/ HTTP/1.1 404 291 - Mozilla/4.75 [en] (X11, U; Nessus) 24.54.157.86 - - [17/Nov/2004:01:00:31 -0500] GET /external/ HTTP/1.1 404 293 - Mozilla/4.75 [en] (X11, U; Nessus) 24.54.157.86 - - [17/Nov/2004:01:00:31 -0500] GET /f/ HTTP/1.1 404 286 - Mozilla/4.75 [en] (X11, U; Nessus) 24.54.157.86 - - [17/Nov/2004:01:00:31 -0500] GET /fbsd/ HTTP/1.1 404 289 - Mozilla/4.75 [en] (X11, U; Nessus) 24.54.157.86 - - [17/Nov/2004:01:00:31 -0500] GET /fcgi-bin/ HTTP/1.1 404 293 - Mozilla/4.75 [en] (X11, U; Nessus) 24.54.157.86 - - [17/Nov/2004:01:00:31 -0500] GET /file/ HTTP/1.1 404 289 - Mozilla/4.75 [en] (X11, U; Nessus) 24.54.157.86 - - [17/Nov/2004:01:00:32 -0500] GET /filemanager/ HTTP/1.1 404 296 - Mozilla/4.75 [en] (X11, U; Nessus) 24.54.157.86 - - [17/Nov/2004:01:00:32 -0500] GET /files/ HTTP/1.1 404 290 - Mozilla/4.75 [en] (X11, U; Nessus) 24.54.157.86 - - [17/Nov/2004:01:00:32 -0500] GET /foldoc/ HTTP/1.1 404 291 - Mozilla/4.75 [en] (X11, U; Nessus) 24.54.157.86 - - [17/Nov/2004:01:00:32 -0500] GET /form/ HTTP/1.1 404 289 - Mozilla/4.75 [en] (X11, U; Nessus) anyone have any ideas what tool they would have used to do this. none of my other logs show any access so he/she just tried to hit the web app. we are probably going to end up calling the police when my boss wakes up, but i want to get your opinions too. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: looks like script kiddie tried to get me
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wednesday 17 November 2004 09:07, Steel City Phantom wrote: bsd 4.9, apache 1.3 [...] 24.54.157.86 - - [17/Nov/2004:01:00:32 -0500] GET /form/ HTTP/1.1 404 289 - Mozilla/4.75 [en] (X11, U; Nessus) ^^ I's maybe Nessus. We have this tool in ports/security. - -- Christian Hiris [EMAIL PROTECTED] | OpenPGP KeyID 0x3BCA53BE OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBmw5K09WjGjvKU74RAmv/AJwJ5HPFUhKwJ1afxZWaRUUZ2HUyrQCffBBv VhSPxOA8CRO6TxukaQ1rOkE= =JA6D -END PGP SIGNATURE- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: looks like script kiddie tried to get me
On Wednesday 17 November 2004 12:07 am, Steel City Phantom wrote: bsd 4.9, apache 1.3 my postnuke started emailing me with hack attempts. i look at my log and find about a half a meg of where it looks like a script kiddie tried to poke in the dark at this site. the hits are WAY too close together to be manual, here is a snip from the log 24.54.157.86 - - [17/Nov/2004:01:00:29 -0500] GET /etc/ HTTP/1.1 404 288 - Mozilla/4.75 [en] (X11, U; Nessus) 24.54.157.86 - - [17/Nov/2004:01:00:29 -0500] GET /example/ HTTP/1.1 404 292 - Mozilla/4.75 [en] (X11, U; Nessus) 24.54.157.86 - - [17/Nov/2004:01:00:30 -0500] GET /examples/ HTTP/1.1 404 293 - Mozilla/4.75 [en] (X11, U; Nessus) 24.54.157.86 - - [17/Nov/2004:01:00:30 -0500] GET /exc/ HTTP/1.1 404 288 - Mozilla/4.75 [en] (X11, U; Nessus) 24.54.157.86 - - [17/Nov/2004:01:00:30 -0500] GET /excel/ HTTP/1.1 404 290 - Mozilla/4.75 [en] (X11, U; Nessus) 24.54.157.86 - - [17/Nov/2004:01:00:30 -0500] GET /exchange/ HTTP/1.1 404 293 - Mozilla/4.75 [en] (X11, U; Nessus) 24.54.157.86 - - [17/Nov/2004:01:00:30 -0500] GET /exe/ HTTP/1.1 404 288 - Mozilla/4.75 [en] (X11, U; Nessus) 24.54.157.86 - - [17/Nov/2004:01:00:31 -0500] GET /exec/ HTTP/1.1 404 289 - Mozilla/4.75 [en] (X11, U; Nessus) 24.54.157.86 - - [17/Nov/2004:01:00:31 -0500] GET /export/ HTTP/1.1 404 291 - Mozilla/4.75 [en] (X11, U; Nessus) 24.54.157.86 - - [17/Nov/2004:01:00:31 -0500] GET /external/ HTTP/1.1 404 293 - Mozilla/4.75 [en] (X11, U; Nessus) 24.54.157.86 - - [17/Nov/2004:01:00:31 -0500] GET /f/ HTTP/1.1 404 286 - Mozilla/4.75 [en] (X11, U; Nessus) 24.54.157.86 - - [17/Nov/2004:01:00:31 -0500] GET /fbsd/ HTTP/1.1 404 289 - Mozilla/4.75 [en] (X11, U; Nessus) 24.54.157.86 - - [17/Nov/2004:01:00:31 -0500] GET /fcgi-bin/ HTTP/1.1 404 293 - Mozilla/4.75 [en] (X11, U; Nessus) 24.54.157.86 - - [17/Nov/2004:01:00:31 -0500] GET /file/ HTTP/1.1 404 289 - Mozilla/4.75 [en] (X11, U; Nessus) 24.54.157.86 - - [17/Nov/2004:01:00:32 -0500] GET /filemanager/ HTTP/1.1 404 296 - Mozilla/4.75 [en] (X11, U; Nessus) 24.54.157.86 - - [17/Nov/2004:01:00:32 -0500] GET /files/ HTTP/1.1 404 290 - Mozilla/4.75 [en] (X11, U; Nessus) 24.54.157.86 - - [17/Nov/2004:01:00:32 -0500] GET /foldoc/ HTTP/1.1 404 291 - Mozilla/4.75 [en] (X11, U; Nessus) 24.54.157.86 - - [17/Nov/2004:01:00:32 -0500] GET /form/ HTTP/1.1 404 289 - Mozilla/4.75 [en] (X11, U; Nessus) anyone have any ideas what tool they would have used to do this. none of my other logs show any access so he/she just tried to hit the web app. we are probably going to end up calling the police when my boss wakes up, but i want to get your opinions too. Well, I don't know about your follow up but I would simply forward what you have to [EMAIL PROTECTED] That is what shows up for a whois at www.arin.net for that IP address. The ISPs are really good about eliminating problems like this :). Kent ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: looks like script kiddie tried to get me
Steel City Phantom said: bsd 4.9, apache 1.3 my postnuke started emailing me with hack attempts. i look at my log and find about a half a meg of where it looks like a script kiddie tried to poke in the dark at this site. the hits are WAY too close together to be manual, here is a snip from the log [snip] anyone have any ideas what tool they would have used to do this. none of my other logs show any access so he/she just tried to hit the web app. we are probably going to end up calling the police when my boss wakes up, but i want to get your opinions too. If you have a public web server, you're going to get attacks like these just as sure as you'll get spam sent to a public email address. Calling the police is likely just going to waste both their time and yours as 1) most police departments do not have the tools or experience to investigate network intrusion attempts, 2) script kiddies, while lacking in the brain cell department, are usually smart enough not to launch attacks from their own system, and 3) the attack didn't succeed and as far as you know, no damage was done. The best thing to do is just keep your server patched and remain diligent. Another person recommended contacting the abuse department of the ISP. That couldn't hurt if you consider it worth your time. -- Charles Ulrich Ideal Solution, LLC - http://www.idealso.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
