Looks like like Back Orifice,,,,, Of course BeOS isn't vulnerable to that kind of cow poo! > I run a personal web-server using RobinHood (Road-Runner Cable > Modem), I get > this all the time!!! > > They are very standard methods of hacking IIS. > > Gary Thom > > -----Original Message----- > From: Daniel Reinhold [mailto:danielr@xxxxxxxxxxxxx] > Sent: 19 March, 2002 2:49 AM > To: Public OBOS mailing list > Subject: [openbeos] I think someone tried to hack into my machine > > Ok, this was rather interesting. It happened just about fifteen > minutes > ago (as I'm writing this). > > I'm online (PPP dialup) and am also running a local webserver (i.e. > sending requests to loopback address 127.0.0.1). Yeah, that's asking > for trouble, at least theoretically. That is, someone on the > internet, > if they happened to get a hold of my (temporary, dynamically > assigned) > IP, could send requests for local files and have them sent back out > across the network. I've never had anything weird happen before, so > I've always been pretty blase about the security risk. > > Anyway, I'm just testing some news items locally before copying them > over to the OpenBeOS website (which is my usual MO). Suddenly, I > notice > the Terminal window (largely covered by another window, but partially > showing) has a flurry of text flying by and the DUN replicant in the > Deskbar shows lots of bytes transmitting back and forth. Wtf? So I > uncover the Terminal window (which is running the webserver) and see > that a number of unusual requests have just been attended to. Here's > the first one: > > GET /scripts/root.exe?/c+dir HTTP/1.0 > Host: www > Connnection: close > > The remaining requests all look like that but with different URLs. > Here > are the other URLs that were requested: > > GET /MSADC/root.exe?/c+dir HTTP/1.0 > GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0 > GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0 > GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 > GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c > + > dir HTTP/1.0 > GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c > + > dir HTTP/1.0 > GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../ > ..%c1%1c.. > /winnt/system32/cmd.exe?/c+dir HTTP/1.0 > GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 > GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0 > > To me, that looks all the world like some hacker trying to grab files > from my local machine. Could there be another explanation? > > Of course, I'm running BeOS (and don't have NT) so my local webserver > just returned a bunch of 404 (Not found) responses. Still, makes you > wonder. > > Has anyone else on this list had any similar experiences? What do you > make of this? >