[openbeos] Re: I think someone tried to hack into my machine

• From: "Jonathan Tarbox" <jtarbox@xxxxxxxxxxxxx>
• To: <openbeos@xxxxxxxxxxxxx>
• Date: Tue, 19 Mar 2002 02:10:31 -0600

All those commands the hacker sent are scans to see if there is an common
(unpatched) NT server at that IP.   An NT/2000 server that is unpatched
would give the directory of c:\ as a result of any one of those commands.

jtarbox
----- Original Message -----
From: "Daniel Reinhold" <danielr@xxxxxxxxxxxxx>
To: "Public OBOS mailing list" <openbeos@xxxxxxxxxxxxx>
Sent: Tuesday, March 19, 2002 1:48 AM
Subject: [openbeos] I think someone tried to hack into my machine


> Ok, this was rather interesting. It happened just about fifteen minutes
> ago (as I'm writing this).
>
> I'm online (PPP dialup) and am also running a local webserver (i.e.
> sending requests to loopback address 127.0.0.1). Yeah, that's asking
> for trouble, at least theoretically. That is, someone on the internet,
> if they happened to get a hold of my (temporary, dynamically assigned)
> IP, could send requests for local files and have them sent back out
> across the network. I've never had anything weird happen before, so
> I've always been pretty blase about the security risk.
>
> Anyway, I'm just testing some news items locally before copying them
> over to the OpenBeOS website (which is my usual MO). Suddenly, I notice
> the Terminal window (largely covered by another window, but partially
> showing) has a flurry of text flying by and the DUN replicant in the
> Deskbar shows lots of bytes transmitting back and forth. Wtf? So I
> uncover the Terminal window (which is running the webserver) and see
> that a number of unusual requests have just been attended to. Here's
> the first one:
>
> GET /scripts/root.exe?/c+dir HTTP/1.0
> Host: www
> Connnection: close
>
> The remaining requests all look like that but with different URLs. Here
> are the other URLs that were requested:
>
> GET /MSADC/root.exe?/c+dir HTTP/1.0
> GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0
> GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0
> GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
> GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+
> dir HTTP/1.0
> GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+
> dir HTTP/1.0
> GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c..
> /winnt/system32/cmd.exe?/c+dir HTTP/1.0
> GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
> GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0
>
> To me, that looks all the world like some hacker trying to grab files
> from my local machine. Could there be another explanation?
>
> Of course, I'm running BeOS (and don't have NT) so my local webserver
> just returned a bunch of 404 (Not found) responses. Still, makes you
> wonder.
>
> Has anyone else on this list had any similar experiences? What do you
> make of this?
>

• References:
  • [openbeos] I think someone tried to hack into my machine
    • From: Daniel Reinhold

Other related posts:

• » [openbeos] I think someone tried to hack into my machine
• » [openbeos] Re: I think someone tried to hack into my machine
• » [openbeos] Re: I think someone tried to hack into my machine
• » [openbeos] Re: I think someone tried to hack into my machine
• » [openbeos] Re: I think someone tried to hack into my machine
• » [openbeos] Re: I think someone tried to hack into my machine
• » [openbeos] Re: I think someone tried to hack into my machine
• » [openbeos] Re: I think someone tried to hack into my machine
• » [openbeos] Re: I think someone tried to hack into my machine
• » [openbeos] Re: I think someone tried to hack into my machine
• » [openbeos] Re: I think someone tried to hack into my machine

1. Home
2. haiku
3. Archive
4. 03-2002

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---