Hackers! What to do???
So I've been running Apache, MySQL and PHP on my Mac for a few months now. I decided to look at my access logs today to see if anyone besides my friends have been coming to my website.
I have about 12 unique IPs that I don't recognize from people who have been trying to hack my system. The funny thing is, they've tried every single Windows exploit imagineable!!! They always get a "404 Not Found" message. I'm really glad OS X is based on Unix and so far no one has been able to get in.
But is there anything I can do about this, or should do about this? I mean I could put a message if one of those Windows exploits is used that would scare them. Something about logging their IP and sending it to the FBI. But somehow I think that wouldn't do any good.
Should I contact their ISPs and threaten them?
Or should I just sit back, relax and feel safe knowing I'm running the best OS in the world?
I have about 12 unique IPs that I don't recognize from people who have been trying to hack my system. The funny thing is, they've tried every single Windows exploit imagineable!!! They always get a "404 Not Found" message. I'm really glad OS X is based on Unix and so far no one has been able to get in.
But is there anything I can do about this, or should do about this? I mean I could put a message if one of those Windows exploits is used that would scare them. Something about logging their IP and sending it to the FBI. But somehow I think that wouldn't do any good.
Should I contact their ISPs and threaten them?
Or should I just sit back, relax and feel safe knowing I'm running the best OS in the world?
Comments
btw, make a custom error page that says:
"This is an OSX server biatch. Go play somewhere else"
or something to that effect
If you can, make a dynamic page that shows how many attempts have been made:
"you are the 37th hacker to have tried to hack this server in vain. Have a nice day.
[ 09-04-2002: Message edited by: ZO ]</p>
Keep the logs and *do* try to get the ISP that owns those addresses. The ISP **needs** to be aware of such small attacks in order to prevent bigger ones.
Unless the attack does US$5000 or more in damage and you have proof of that damage, the FBI will not even attempt to help you. The costs for investigating these online crimes is prohibitive.
I have calculated from the emails I have recieved so far, that they must have sent it to thousands of people...
I only found out about the email when I have received irate emails from people claiming that I sent them. And 'email delivery failure messages' stating that 1 email had not gone through but 100 others had from my domain!!
I have tracked the IPs down to a web site, and then done a 'whois' look up...all the details are fake. I have tracked the DNS server to a box named 'PetesPC'... I am really tempted to take matters into my own hands, but have been told that I will have my internet connection cut off by my ISP if I try.
Meanwhile the emails keep getting sent, and my company name blackened.
Hackers and Spammers....the FBI is too good for them.
Peace,
Marc
[ 09-04-2002: Message edited by: Marcus ]</p>
[quote]12.234.81.155 - - [04/JUL/2002:01:03:44 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 186
12.234.81.155 - - [04/JUL/2002:01:03:44 -0700] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 186
12.234.81.155 - - [04/JUL/2002:01:03:52 -0700] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 186
12.234.81.155 - - [04/JUL/2002:01:03:52 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 186
12.234.81.155 - - [04/JUL/2002:01:03:54 -0700] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 186
12.234.81.155 - - [04/JUL/2002:01:03:54 -0700] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 186
12.234.81.155 - - [04/JUL/2002:01:03:59 -0700] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 186
12.234.81.155 - - [04/JUL/2002:01:03:59 -0700] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 186
12.234.81.155 - - [04/JUL/2002:01:04:01 -0700] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 186
12.234.81.155 - - [04/JUL/2002:01:04:06 -0700] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 186
12.234.81.155 - - [04/JUL/2002:01:04:10 -0700] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 186
12.234.81.155 - - [04/JUL/2002:01:04:11 -0700] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 186
12.234.81.155 - - [04/JUL/2002:01:04:13 -0700] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 186
12.234.81.155 - - [04/JUL/2002:01:04:15 -0700] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 186
12.234.81.155 - - [04/JUL/2002:01:04:17 -0700] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 186
12.234.81.155 - - [04/JUL/2002:01:04:21 -0700] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 186<hr></blockquote>
About the only thing you can do is report it to your ISP. (But then again, I traced most of these IP addresses to them!) This has been going on for 3 years now. If anything works, make sure you post the solutiuon here. :cool:
[ 09-04-2002: Message edited by: Ebby ]</p>
I think the dynamic page would be funny but if its only a program doing it they'd never see the page <img src="graemlins/hmmm.gif" border="0" alt="[Hmmm]" />
Well, I'm going to send off these addresses to the ISPs that I found and see what they have to say. I'm sure they probably won't even care though.
If the ISPs use dynamic IPs, you may not be able to track down who's been doing this. Most ISPs nowadays do that, in fact, to keep people from hosting sites on their computers.
-Mike
Unless they do any damage, there's no point in doing(or trying to do) anything. The guy over at GRC.com had the same problem, but that hacker got in.
<a href="http://grc.com/dos/grcdos.htm"; target="_blank">Read it.</a>
Many in the hacking community are just trying to learn, not swipe your identity and steal your mutual funds.
Second, if it really bothers you, get a firewall. Block the offender's IP addresses. End of story.
And if it REALLY bothers you, then be a lamer and tell their ISP, and their ISP will scold them for being bad, maybe disconnect them.
But try to be a lamer only as a last resort.
<strong>First off, 'hackers' and 'spammers' are not synonymous. Spammers are the scum that breeds on scum's sweaty gym sock. 'Hackers' are typically curious teenage boys trying to learn the ins and outs of computers and networks. Unless they are overtly malicious, let have their fun. Who cares?
Many in the hacking community are just trying to learn, not swipe your identity and steal your mutual funds.
Second, if it really bothers you, get a firewall. Block the offender's IP addresses. End of story.
And if it REALLY bothers you, then be a lamer and tell their ISP, and their ISP will scold them for being bad, maybe disconnect them.
But try to be a lamer only as a last resort.</strong><hr></blockquote>
I don't think anyone was saying hackers and spammers are synonymous. I'm definitely dealing with hackers, not spammers. I can't block their IPs because there's many of them and like others point out the ISP use dynamic IPs so they're always changing.
The fact that they're even trying to break in at all is malicious. We don't know why they're trying to get in, maybe they are trying to steal my identity, my files, or just f' up my computer. Either way its wrong and illegal.
I don't think taking action makes me a lamer. No matter what age they are or their intents, they're trying to access my private information.
You'd call the cops on someone trying to break in your house, right?
Whatever, your choice, just thought I'd voice an opinion.
<strong>a hacker is not necessarily what your dealing with. a hacker is a computer programmer. most hackers dont try to break into systems. and the vast majority of hackers are not teenagers (tho many are). back int eh old days, people used to write their own progs to break into shit --they were hackers. now, people just tend to use existing tools. [i hayt when people misuse hacker; codito ergo sum]</strong><hr></blockquote>
ditto.
hacker = more or less friendly. wants to find security problems and report them. does not make use of it in a bad way. friend.
cracker = the one who breaks into systems and damages what he finds. makes bad use of it. enemy.
these are the two types. distinguish between them.
[ 09-06-2002: Message edited by: Defiant ]</p>
If they find a hole and don't report it they're a cracker?
What if they don't find any holes and don't report it. They should tell me how great my OS is because they couldn't get in.
The people you're referring to that just use programs that have already been made, they're called "Script Kiddies" right?
some hackers try to break into systems, most do not. a cracker is a person (independant of potentially being a hacker) who attempts to break into foreign systems.
<strong>It is a computer program that serches a range of IP addressses owned by ISP's. My log is filled (15 pages) with this from various addresses.
quote:
------------------------------------------------------------------------
12.234.81.155 - - [04/JUL/2002:01:03:44 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 186
12.234.81.155 - - [04/JUL/2002:01:03:44 -0700] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 186
12.234.81.155 - - [04/JUL/2002:01:03:52 -0700] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 186
12.234.81.155 - - [04/JUL/2002:01:03:52 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 186
</strong><hr></blockquote>
Just be glad that your are running OSX and apache.
[ 09-07-2002: Message edited by: ThinkingDifferent ]</p>
<strong>
Just be glad that your are running OSX and apache.
[ 09-07-2002: Message edited by: ThinkingDifferent ]</strong><hr></blockquote>
[WISPER]
*psst*
Actually, I am using OS 8.5 and Web Sharing. But I souldn't say that around all these OS X users. (It's on a 6100/60 anyways)
[/WISPER]