While perusing some logs on my home server, I noticed several attempts to hack in. From the looks of it, it was unsuccessful, however, I'd appreciate it if someone could look at the following and let me know.

Thanks a lot of the help!




20:51:27 213.175.32.246 GET /scripts/../../winnt/system32/cmd.exe 404
20:51:30 213.175.32.246 GET /msadc/../../../../../../winnt/system32/cmd.exe 200
20:51:31 213.175.32.246 GET /msadc/../../../../../../winnt/system32/cmd.exe 200
20:51:32 213.175.32.246 GET /msadc/../../../../../../winnt/system32/cmd.exe 502
20:51:33 213.175.32.246 GET /msadc/../../../../../../winnt/system32/cmd.exe 502
20:51:34 213.175.32.246 GET /msadc/../../../../../../winnt/system32/cmd.exe 502
20:51:34 213.175.32.246 GET /msadc/../../../../../../winnt/system32/cmd.exe 502


04:24:28 204.0.69.15 GET /scripts/../../winnt/system32/cmd.exe 404

21:34:58 211.152.241.1 GET /scripts/../../winnt/system32/cmd.exe 404
21:34:58 211.152.241.1 GET /scripts/..../winnt/system32/cmd.exe 404
21:35:02 211.152.241.1 GET /scripts/..../winnt/system32/cmd.exe 404
21:35:02 211.152.241.1 GET /scripts/../../winnt/system32/cmd.exe 404
21:35:06 211.152.241.1 GET /scripts/../../winnt/system32/cmd.exe 404
21:35:09 211.152.241.1 GET /scripts/..../winnt/system32/cmd.exe 404
21:35:09 211.152.241.1 GET /scripts/..

 

Looks like they were trying to take advantage of a

 

I had recently made sure to run the Windows update, so I am confident that IIS is fully patched.

However, does it look like this person was successful?

Thanks.

 

Yeah, sorry, I didn't mean to give the impression that you had been hacked - I should have made it more clear that from what I saw, this was merely the type of attack attempted. I can't tell from the log files for sure, but it just looks like a file traveral probe - checking to see what's available. I believe the sadmind worm changes some web pages to read "Hacked by Chinese".

I'm not a security professional, just a former IIS webmaster, so someone else might have better info.

 

I head up KPMG's IRM dept in Montreal (Information Risk Management). I specialize in this type of stuff. PM me if you have any questions and I would be glad to help a fellow S2K'er.

I specialize in 'ethical hacking' so yes, from what I can see they were definately trying to hack you.

No, I do not think they were successfull because if they were, you would have see more commands.

IE they are trying the same thing over again.

IF it was successfull, you would see them using FTP/TFTP to try and upload trojans or use NETCAT to get a command prompt on your box.


Robert

 

Thanks a lot guys, I really appreciate this. This community is the best place to turn to when you need a pro.