[svlug] Is this a hack attempt?

Daevid Vincent daevid at daevid.com
Fri Oct 25 15:59:13 PDT 2002


Okay thanks. Now I see another one from 12.228.183.212...

2-0 25066 0/525/525 _  6.93 373 0 0.0 182.48 182.48  12.228.183.212
daevid.com GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0 
7-0 25071 0/535/535 _  6.99 387 0 0.0 139.38 139.38  12.228.183.212
daevid.com GET /MSADC/root.exe?/c+dir HTTP/1.0 
9-0 25774 0/281/281 _  4.88 393 0 0.0 120.08 120.08  12.228.183.212
daevid.com GET /scripts/root.exe?/c+dir HTTP/1.0 
14-0 26531 0/341/341 _  3.60 381 0 0.0 93.06 93.06  12.228.183.212
daevid.com GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0  

Is this just something that will happen all the time and I never knew
it?

I think I would still like to ban these IP addresses from contcting my
machine. Is there a way?

Also, I thought it would be a good idea to notify the ISP of those IP
addresses, but I can't figure out who it is?

-----------------------------------------------
[root at daevid root]# dig 12.228.183.212   

; <<>> DiG 9.2.1 <<>> 12.228.183.212
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 19195
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;12.228.183.212.                        IN      A

;; AUTHORITY SECTION:
.                       86400   IN      SOA     A.ROOT-SERVERS.NET.
NSTLD.VERISIGN-GRS.COM. 2002102501 1800 900 604800 86400

;; Query time: 3961 msec
;; SERVER: 204.127.198.4#53(204.127.198.4)
;; WHEN: Fri Oct 25 15:56:23 2002
;; MSG SIZE  rcvd: 107
-----------------------------------------------

And "whois 12.228.183.212" doesn't work since it's not a domain name.

> -----Original Message-----
> From: Will Lowe [mailto:harpo at thebackrow.net] 
> Sent: Friday, October 25, 2002 3:48 PM
> To: Daevid Vincent
> Cc: SVLUG
> Subject: Re: [svlug] Is this a hack attempt?
> 
> 
> That's the Code Red Windows exploit.  12.237.249.145 has been 
> infected and is trying to infect you, but unless you're 
> running windows it's harmless.
> 
> On Fri, Oct 25, 2002 at 03:45:28PM -0700, Daevid Vincent wrote:
> > I run RH8.0 so this sure seems suspicious to me:
> > 
> > 1-0 25065 0/508/508 _  6.42 128 0 0.0 130.31 130.31  12.237.249.145 
> > daevid.com GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir 
> > HTTP/1.0
> > 
> > 4-0 25068 0/519/519 _  5.86 139 0 0.0 143.76 143.76  12.237.249.145 
> > daevid.com GET /MSADC/root.exe?/c+dir HTTP/1.0 5-0 25069 
> 0/518/518 _  
> > 5.84 142 0 0.0 99.62 99.62  12.237.249.145 daevid.com GET 
> > /scripts/root.exe?/c+dir HTTP/1.0 6-0 25070 0/531/531 _  6.44 114 0 
> > 0.0 129.48 129.48  12.237.249.145 daevid.com GET
> > /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../.. 
> > 7-0 25071 0/525/525 _  6.93 117 0 0.0 139.17 139.17  12.237.249.145
> > daevid.com GET
> > /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd. 
> > 8-0 25214 0/503/503 _  5.83 136 0 0.0 118.91 118.91  12.237.249.145
> > daevid.com GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0 
> > 9-0 25774 0/271/271 _  4.87 133 0 0.0 119.94 119.94  12.237.249.145
> > daevid.com GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0 
> > 10-0 26526 0/457/457 _  5.36 335 0 0.0 100.78 100.78  12.229.31.145
> > daevid.com GET /MSADC/root.exe?/c+dir HTTP/1.0 
> > 14-0 26531 0/334/334 _  3.51 119 0 0.0 89.96 89.96  12.237.249.145
> > daevid.com GET
> > /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd. 
> > 
> > And so now is there a way I can make a file of IP/domains that are 
> > banned from contacting my server (all ports)?
> > 
> > 
> > _______________________________________________
> > svlug mailing list
> > svlug at lists.svlug.org http://lists.svlug.org/lists/listinfo/svlug
> 
> -- 
> 					thanks,
> 		
> 					Will
> 




More information about the svlug mailing list