Darkelve Posted April 13, 2004 Report Share Posted April 13, 2004 I know little about security, but when analyzing our visitor behaviour I found some strange lines under the section 'referral errors'. Output posted below. What I think this is, is people trying to launch a DOS command shell by entering a malformed URL. Close, or no cigar? Also, how can I find out more about this or evaluate how serious these attempts are? The server is quite popular, last month we had 223 466 unique sessions. It's probably nothing, it is just that I am concerned over the fate of our webserver. Also, I am getting weird 'visited pages' like: /inbox/username/read.php We are running Lotus Notes at work. Could this be because they consulted the site from within the Notes 'browser'? Darkelve 404:/winnt/system32/cmd.exe 162 26.34% 500:/msadc/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 19 3.09% 500:/scripts/..%5c../winnt/system32/cmd.exe 16 2.60% 500:/PBServer/..%5c..%5c..%5cwinnt/system32/cmd.exe 16 2.60% 500:/_vti_bin/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe 16 2.60% 500:/Rpc/..%5c..%5c..%5cwinnt/system32/cmd.exe 16 2.60% 500:/msaDC/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 15 2.44% 500:/msadc/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 14 2.28% 500:/scripts/..%5c..%5cwinnt/system32/cmd.exe 8 1.30% 500:/scripts/..%5c%5c../winnt/system32/cmd.exe 5 0.81% Quote Link to comment Share on other sites More sharing options...
energymedia Posted April 13, 2004 Report Share Posted April 13, 2004 Hey Darkelve, This is a standard attempt by script kiddies to access a Windows (IIS) web server. As you are running Apache (I presume), this is not an issue for you. The majority of these scripts are aimed at Windows. You are correct in your presumption that they are trying to access a DOS command shell. Quote Link to comment Share on other sites More sharing options...
Darkelve Posted April 13, 2004 Author Report Share Posted April 13, 2004 As you are running Apache (I presume), this is not an issue for you. The majority of these scripts are aimed at Windows. You are correct in your presumption that they are trying to access a DOS command shell. Erm... no, we're using Windows2000 server... it's on a rented 'dedicated' server, so it's not really my task/responsibility to secure it, but when running through the analyzed log files for the server, I could not help but wondering... I would have steered for an Apache server indeed, but before I arrived there was already a website (www.buzzy.be) being developped which used asp as the server-side scripting language and evilM$ SQL for the database. When considering our hosting options, this was a big bummer and of course weighed on the decision to use Apache or IIS. Ironically, the stuff we use internally, is mostly developped in Java! So it would have made sense to choose JSP over ASP to allow for easy integration between internal and hosted applications... the IT guys just never thought of it (Remember, this is from a company that did not even have a webmaster until august of 2003). I think the guys at the hosting company are doing a good job though, as to my knowledge the total downtime over the last 6 months must be lower than 30 minutes. It hasn't been hacked either, but I guess you just cannot be too cautious/well informed. Quote Link to comment Share on other sites More sharing options...
energymedia Posted April 13, 2004 Report Share Posted April 13, 2004 My mistake in making a presumption You state that it is on a rented/dedicated server and that someone else takes care of the server. I presume then, that these people stay as up-to-date as possible, as in their business, down-time = lost clients. Once again, at this point I would not be worried about it. My Windows clients get scanned like this a couple of times a week. They have yet to have any issues. If you don't mind me asking, who do you use for web hosting? I am currently using 1&1. Quote Link to comment Share on other sites More sharing options...
Darkelve Posted April 13, 2004 Author Report Share Posted April 13, 2004 (edited) If you don't mind me asking, who do you use for web hosting? I am currently using 1&1. No I don't mind. If you really wanted to, you could find out for yourself anyway. We're hosted at Dedigate: http://www.dedigate.com/index.html (physically: Level3). And yes, they do stay up to date with patches and always nicely contact us when there's a critical patch (meaning: downtime) to be deployed. Also, it is not like it is Mission-critical (like e.g. hospitals or power plants) but of course we'll look real bad when down or hacked. Edited April 13, 2004 by Darkelve Quote Link to comment Share on other sites More sharing options...
paul Posted April 13, 2004 Report Share Posted April 13, 2004 do you remeber "codered" from a couple of years ago? It was a bot designed to infiltrate IIS server's thewn replicate its not dangerous, just a pain in the arse that's what you're seeing on your logs ... everybody who has a webserver for longer than 6 months will start to see logs like that. It doesn't affect apache at all, and so long as you are up-to-date with windows security patches, you should fine on a windows server also .... but as you mentioned, its a rented server ... so if you have downtime, sue the pants off them Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.