Re: Blocking hackers

Thu, 20 Jun 2002 23:08:41 -0700 

On Friday 21 June 2002 03:57, Phillp Morgan wrote:
> Hi,
>
> It looks like someone is trying to break into my system. This is out of my
> apache error log...
>
> >61.243.140.78 - - [21/Jun/2002:13:58:29 +1000] "GET /MSADC/root.exe?/c+dir
>
> HTTP/1.0" 404 -
>
> >61.243.140.78 - - [21/Jun/2002:13:58:30 +1000] "GET
>
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
>
> >61.243.140.78 - - [21/Jun/2002:13:58:31 +1000] "GET
>
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
>
> >61.243.140.78 - - [21/Jun/2002:13:58:32 +1000] "GET
>
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
>
> >61.243.140.78 - - [21/Jun/2002:13:58:33 +1000] "GET
>
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+di
> r HTTP/1.0" 404 -
>
> >61.243.140.78 - - [21/Jun/2002:13:58:34 +1000] "GET
>
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+di
> r HTTP/1.0" 404 -
>
> >61.243.140.78 - - [21/Jun/2002:13:58:36 +1000] "GET
>
> /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../
> winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
>
> >61.243.140.78 - - [21/Jun/2002:13:58:29 +1000] "GET /MSADC/root.exe?/c+dir
>
> HTTP/1.0" 404 -
>
> >61.243.140.78 - - [21/Jun/2002:13:58:30 +1000] "GET
>
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
>
> >61.243.140.78 - - [21/Jun/2002:13:58:31 +1000] "GET
>
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
>
> >61.243.140.78 - - [21/Jun/2002:13:58:32 +1000] "GET
>
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
>
> >61.243.140.78 - - [21/Jun/2002:13:58:33 +1000] "GET
>
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 -
>
> Is there any way I can block this nasty person?

Depends on which kernel you use, with a 2.2.x kernel one can use;
/sbin/ipchains -A input -j REJECT -s 61.243.140.78

>
> Who should I report this to?

No idea, all the IP#'s shown with traceroute are unresolveable so who knows 
who he actually is, the last resolvable ip# with traceroute was 
linx01.hkt.net but thats 5 hops before 61.243.140.78.

>
> Regards,
>
> Phillip Morgan
> Chief Information Offier
> Quickpages Business Directories

-- 
Regards Richard
[EMAIL PROTECTED]
http://people.zeelandnet.nl/pa3gcu/

-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Reply via email to