RE: Cracked cracker?

To: Craig Dickson <crdic@pacbell.net>, Debian-User <debian-user@lists.debian.org>
Subject: RE: Cracked cracker?
From: Michael Olds <MikeOlds@pacbell.net>
Date: Thu, 12 Dec 2002 10:38:13 -0800
Message-id: <[🔎] NGBBLDIFELPCGLIINMHCIEMLCHAA.MikeOlds@pacbell.net>
In-reply-to: <[🔎] 20021212171151.GA32685@linux700.localnet>

Thanks everyone. I did know it was the code red virus or worm or whatever
(you can see the depth of my knowledge...haha)...I have seen the logs from
my hosted website before. This was on my own server, and what was
interesting this time was that this same IP kept showing up. Usually you get
a string of hits then the same or similar string with another IP. This (ok
not person, box) was going at it every ten minutes most of the afternoon
yesterday and again today (I shut down during the night). I am new enough
with my own setup to not have seen this aspect of the code red attack...web
server up and running for only about a month.

I emailed the ISP to tell them about it, they may have shut them (it) down.

Best Wishes!
Mike Olds www.buddhadust.org

-----Original Message-----
From: Craig Dickson [mailto:crdic@pacbell.net]
Sent: Thursday, December 12, 2002 9:12 AM
To: Debian-User
Subject: Re: Cracked cracker?

Michael Olds wrote:

> This is a small sample from my access log. Can someone explain to me why
> this person

It's not a person.

> would repeatedly attempt access to my computer using the same IP
> and the same requests over and over? This isn't to the point of being a
DOS
> attack; can't they see I don't have any of these things that they think
will
> enable them to crack my machine? Or is there something else going on here?
>
>
> 63.205.213.16 - - [11/Dec/2002:13:16:07 -0800] "GET
/scripts/root.exe?/c+dir
> HTTP/1.0" 404 270 "-" "-"
> 63.205.213.16 - - [11/Dec/2002:13:16:07 -0800] "GET /MSADC/root.exe?/c+dir
> HTTP/1.0" 404 268 "-" "-"
> 63.205.213.16 - - [11/Dec/2002:13:16:07 -0800] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 278 "-" "-"

[etc.]

I have to admit I'm amazed that anyone running a mailserver wouldn't know
what that was. Have you just set up one for the first time?

Anyway, this is the Windows Nimda virus trying to break into a
vulnerable installation of the Microsoft IIS server, not realizing that
you're not what it's looking for. Nimda has been doing this for at least
a year now, I think, and it got quite a lot of press when it first came
out.

Unsurprisingly, 63.205.213.16 appears to belong to a local cable company
that offers digital TV and cable modem services. So the machine in
question is probably just a Windows 2000 machine belonging to one of
their customers, who, typical of the average Windows users, has no idea
that he is running a web server on his computer, no idea that his
computer is infected with a virus, and no idea what the phrase "security
update" means.

Although, interestingly, telnetting to 63.205.213.16 on the www and smtp
ports gets "connection refused". So either the user has belatedly got a
clue, or they've simply gone offline and someone else now has their DHCP
address.

Craig

Reply to:

References:
- Re: Cracked cracker?
  - From: Craig Dickson <crdic@pacbell.net>

Prev by Date: RE: Content Management System sought
Next by Date: Help! Exim & verizon.net
Previous by thread: Re: Cracked cracker?
Next by thread: Re: Cracked cracker?
Index(es):
- Date
- Thread