[Gllug] Have I been compromised??
omphe
omphe at keiko.demon.co.uk
Mon Sep 2 19:41:26 UTC 2002
Tom Gilbert wrote:
> Couple of things there, for one, why not show us the log entries you're
> worried about? I'm sceptical myself, because for you to have people
> connecting to your webserver on port 6667, you'd have to have
> specifically configured it to listen on 6667 yourself.
I think I hit the panic button early. I've been immersing myself in the
security manuals, etc. trying to just get my bearings. Nevertheless, this is
proving very educational, so...
Here's an excerpt from my Apache access.log. There are about five instances of
this. The 404/405's means these were denied, no?
62.95.52.25 - - [20/May/2002:00:06:21 +0100] "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 404 205
64.8.33.172 - - [06/Jun/2002:21:47:07 +0100] "GET
/scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 -
66.140.25.157 - - [23/Jul/2002:23:25:54 +0100] "CONNECT 209.131.227.242:6667
HTTP/1.0" 405 231
66.140.25.157 - - [23/Jul/2002:23:41:18 +0100] "CONNECT 209.131.227.242:6667
HTTP/1.0" 405 231
So, now I'll harden, remove services, and read, read, read, read, .....
Aaaaaaaarrgh!!! I can't learn fast enough!!
Branden Faulls
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list