[CLUE-Tech] Is someone trying to hack me?
Michael J. Miller
michael at millerville.cc
Thu Nov 14 09:55:16 MST 2002
Any recommendations on hardening a linux box that's _slightly_ exposed
to the outside world?
I've got a Redhat 8 server that's got a default apache install, behind a
linksys firewall...ports for http and SSH are the only available ports.
On Thu, 2002-11-14 at 09:07, Adam Bultman wrote:
>
>
> I have an aquaintence at LANL who had a web server hit by the apache
> worm... They forgot to secure a naught-used web server, and it was loaded
> with zombie processes from DoSing someone. The person being DoSed
> complained to them. I though it was funny. Not the DoSing, but the fact
> that LANL had a machine that wasn't secured.
>
>
> Adam
>
>
>
> On Thu, 14 Nov 2002, David Anselmi wrote:
>
> > Jason S. Friedman wrote:
> > > What are these in my apache server logs?
> >
> > Google would be happy to tell you much, much more.
> >
> > >
> > > 63.231.245.155 - - [13/Nov/2002:22:10:21 +0000] "GET
> > > /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309
> >
> > You can see that this is a request to run the Windows shell. The winnt
> > directory is outside the web server's root so this attack uses .. to
> > traverse up the tree. Normally the request would be refused because the
> > web server can't cd above its root, but this attack uses unicode
> > characters in the path (which are URL encoded to the %25%35%63 you see)
> > and IIS doesn't do the right thing with unicode paths.
> >
> > The other hits you see are variations on the theme.
> >
> > The real question is what will you see when someone uses a successful
> > apache exploit on you.
> >
> > Dave
> >
> > _______________________________________________
> > CLUE-Tech mailing list
> > CLUE-Tech at clue.denver.co.us
> > http://clue.denver.co.us/mailman/listinfo/clue-tech
> >
>
> --
> Adam Bultman
> adam at glaven.org
> [ http://www.glaven.org ]
>
>
> _______________________________________________
> CLUE-Tech mailing list
> CLUE-Tech at clue.denver.co.us
> http://clue.denver.co.us/mailman/listinfo/clue-tech
More information about the clue-tech
mailing list