Have I been attacked?

byw · #1 25th February 2005, 07:21 AM

Hi

I have an apache webserver on FC3, I was browsing the server-status of it and came across this, should be on one line:
9-0 5885 0/13/13 _ 0.03 12125 0 0.0 0.03 0.03 24.172.78.10 phoenix GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir

What does this mean? I have been hacked?

Byron Williams
byron@byronwilliams.me.uk

spiderhosts · #2 25th February 2005, 08:01 AM

Someone seems to be scanning your machine and trying to run the cmd.exe command which is the command prompt used on windows NT.

Since you are running Fedora this is completely irrelevant for you but I would recommend that you do not dismiss this incident. This is a reminder that people up to no good are constanly scanning your machine and should be taken as an excuse to harden it....

Just my 2 cent's

Bechara Hitti

Ned · #3 25th February 2005, 03:29 PM

This is just script kiddies doing their stuff. The first good thing is that you obviously check your logs, something that's essential if you're running an publically accessible service such as http. Also, at the very least, make sure your machine stays up to date with all the latest security patches.

If you want to further harden your security, use strong passwords (if you're not doing so already) and change them frequently. Turn off or disable any services that you don't need. Also consider running any machine with publically accessible services in a DMZ so if it does get hacked you minimise the damage to just one machine, not your whole lan.

Ned

byw · #4 25th February 2005, 09:38 PM

Cool thanks, just got a little paranoid and I think just in-case I'll change my set of passwords!

Byron Williams

awdac · #5 25th February 2005, 09:51 PM

Actually, that looks more like the footprints of a worm rather than someone particularly targeting you, if it makes you feel any better. Take the others' advice though, and you should be fine.

w5set · #6 26th February 2005, 04:57 AM

As long as they are using a M$ exploit to try and make a zombie out your Linux server, you don't have much to worry about. If you have a SSH server running,there is always a chance they can gain access to it. Well SSH and a few other RPC types running they have a chance. Wait until they try the 4092+ character buffer overflow exploit and look then at what your log shows! That makes for one LONG line in the log file.
Who said--Build it and they will come?