[ Home | Liste | F.A.Q. |
Risorse | Cerca... ]
[ Data: precedente | successivo | indice ] [ Argomento: precedente | successivo | indice ]
[ Home | Liste | F.A.Q. |
Risorse | Cerca... ]
Archivio: Giugno 2001 ml@sikurezza.org Soggetto: piccolo Log IIS Mittente: MultiTaskinG Data: 1 Jun 2001 15:50:38 -0000
Ciao... spero di non essere OT o altro ma sto amministrando un server NT... e prima dell'applicazione su IIS5 della patch del 14 maggio mi sono ritrovato alcuni strani file dal nome default.htm (che hacker birichino) nel mio server... ora.. i file hanno come proprietario l'utente IUSR_guest... e poichè l'intrusione è avvenuta in un orario notturno ritengo molto probabilmente di aver individuato nel log di IIS l'ip del responsabile.... anche perchè dopo la creazione del file c'è una sola visita loggata su IIS e le successive sono a distanza di 3 ore o più.... inoltre l'intrusione si è verificata due volte... e quindi facendo lo stesso ragionamento dovrei avere due IP... (e li ho infatti) che se corrispondono allo stesso numero di telefono.... sono dei veri problemini per il proprietario del numero.... (Come spero che sia) Tanto per la cronaca il defacement non è riuscito cmq..... ;-) adesso.. ho incontrato un log curioso.... ( un po' in arretrato ma l'ho trovato)... (il cui IP è stranamente simile (sempre TIN) all'ip che ha provato a eseguire un defacement) la domanda è: Ma voi, ad un tipo così, che gli fareste ? (contando sopratutto sul fatto che quello stesso giorno... un'ora prima è stata creata una cartella script con all'interno un bel root.exe che altro non è che un cmd.exe di un win2000 sp1 ita) Grazie del supporto morale ! MTG ... 2 Mostri neri nel mio garage... www.quattrotempi.net P.S. vorrei far notare che il log originale è di oltre 250 kb.... tutti molto simili a quelli che vedete :-( non si può denunciare vero ? :-( #Software: Microsoft Internet Information Services 5.0 #Version: 1.0 #Date: 2001-05-21 08:48:09 #Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status cs(User-Agent) 2001-05-21 18:02:49 213.45.37.85 - xxx.xx.xxx.xxx 80 GET /index.htm - 200 - 2001-05-21 18:02:56 213.45.37.85 - xxx.xx.xxx.xxx 80 GET /cgi-bin/build.cgi - 404 - 2001-05-21 18:02:56 213.45.37.85 - xxx.xx.xxx.xxx 80 GET /cgi-bin/aglimpse - 404 - 2001-05-21 18:02:56 213.45.37.85 - xxx.xx.xxx.xxx 80 GET /cgi-bin/AnyForm2 - 404 - 2001-05-21 18:02:56 213.45.37.85 - xxx.xx.xxx.xxx 80 GET /cgi-dos/args.bat - 404 - 2001-05-21 18:02:56 213.45.37.85 - xxx.xx.xxx.xxx 80 GET /cgi-bin/campas - 404 - 2001-05-21 18:02:56 213.45.37.85 - xxx.xx.xxx.xxx 80 GET /scripts/iisadmin/bdir.htr - 200 - 2001-05-21 18:02:56 213.45.37.85 - xxx.xx.xxx.xxx 80 GET /carbo.dll - 404 - 2001-05-21 18:02:56 213.45.37.85 - xxx.xx.xxx.xxx 80 GET /cfdocs/expeval/exprcalc.cfm - 404 - 2001-05-21 18:02:56 213.45.37.85 - xxx.xx.xxx.xxx 80 GET /cfdocs.map - 404 - 2001-05-21 18:02:56 213.45.37.85 - xxx.xx.xxx.xxx 80 GET /cfdocs/snippets/evaluate.cfm - 404 - 2001-05-21 18:02:56 213.45.37.85 - xxx.xx.xxx.xxx 80 GET /cfdocs/snippets/fileexists.cfm - 404 - 2001-05-21 18:04:06 213.45.37.85 - xxx.xx.xxx.xxx 80 PUT /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.html - 403 - 2001-05-21 18:04:08 213.45.37.85 - xxx.xx.xxx.xxx 80 PUT /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAA.html - 403 - 2001-05-21 18:18:52 213.45.37.85 - xxx.xx.xxx.xxx 80 GET /index.htm - 200 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+NT+5.0) 2001-05-21 18:18:55 213.45.37.85 - xxx.xx.xxx.xxx 80 GET /images/index.1.jpg - 200 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+NT+5.0) ________________________________________________________ http://www.sikurezza.org - Italian Security Mailing List
[ Home | Liste | F.A.Q. |
Risorse | Cerca... ]
www.sikurezza.org - Italian Security Mailing List
(c) 1999-2005