[Gllug] Have I been compromised??

Tom Gilbert tom at linuxbrit.co.uk
Tue Sep 3 11:26:01 UTC 2002


* omphe (omphe at keiko.demon.co.uk) wrote:
> Tom Gilbert wrote:
> 
> > Couple of things there, for one, why not show us the log entries you're
> > worried about? I'm sceptical myself, because for you to have people
> > connecting to your webserver on port 6667, you'd have to have
> > specifically configured it to listen on 6667 yourself.
> 
> I think I hit the panic button early.  I've been immersing myself in the
> security manuals, etc.  trying to just get my bearings. Nevertheless, this is
> proving very educational, so...

Note that there aren't any problems at all here.

> 62.95.52.25 - - [20/May/2002:00:06:21 +0100] "GET
> /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a

This isn't going to trouble you, it's a scripted, automated attack
against windows machines running IIS, and is scanning your subnet.
Apache just ignores these.

> HTTP/1.0" 404 205
> 64.8.33.172 - - [06/Jun/2002:21:47:07 +0100] "GET
> /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 -

Same again.

> 66.140.25.157 - - [23/Jul/2002:23:25:54 +0100] "CONNECT 209.131.227.242:6667
> HTTP/1.0" 405 231
> 66.140.25.157 - - [23/Jul/2002:23:41:18 +0100] "CONNECT 209.131.227.242:6667
> HTTP/1.0" 405 231

This is you connecting to openprojects to IRC and their (annoying and
intrusive) proxy scanner making sure you're not connecting using some
dodgy irc proxy. They're making sure you aren't a script kiddie trying
to break their network.

Tom.
-- 
   .^.    .-------------------------------------------------------.
   /V\    | Tom Gilbert, London, England | http://linuxbrit.co.uk |
 /(   )\  | Open Source/UNIX consultant  | tom at linuxbrit.co.uk    |
  ^^-^^   `-------------------------------------------------------'

-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug




More information about the GLLUG mailing list