 |
 |
Did someone attempt to hack my machine?
|
|
|
|
|
Addicted to MacNN
Join Date: Jan 2003
Location: ~/
Status:
Offline
|
|
I have a MacOS X 10.3.3 (client) machine at work acting as a webserver.
Today, I found a 32,760 character request string in my httpd access logs. The access attempt was made at 11:16pm on 3/22. It was the only request of its kind.
The request consisted of repeating strings of "\x90\x02\xb1\x02\xb1\x02\xb1\x02\" and "\x90\x90\x90\x90\x90\x90".
Is this someone's attempt at creating a buffer overflow error?
Fortunately, OS X simply recorded a "request failed: URI too long" error and continued about its business.
BTW,
I get requests like this as well periodically: "GET / HTTP/1.1" 200 397
but I understand these are blind attempts at access by virus-infected "zombie" PCs and that these requests are a widespread phenomenon.
I also enjoy seeing requests for this periodically as well: "/Library/WebServer/Documents/scripts/..%5c%5c../winnt/system32/cmd.exe"
|
|
|
| |
|
|
|
|
|
|
|
Posting Junkie
Join Date: Feb 2000
Location: Washington, DC
Status:
Offline
|
|
yep, welcome to the wonderful world of hack attempts...
The scary thing is when they do figure ways in... look at this error log...!!!
I've had them looking at .DS_Store files, so they knew it was a OS X system.
Code:
[Sat Mar 20 04:35:15 2004] [notice] Apache/1.3.29 (Darwin) PHP/4.3.4 configured -- resuming normal operations
[Sat Mar 20 04:35:15 2004] [notice] Accept mutex: flock (Default: flock)
[Sat Mar 20 09:38:10 2004] [error] [client 218.38.242.212] File does not exist: /Library/WebServer/Documents/msadc/msadcs.dll
[Sat Mar 20 15:11:59 2004] [error] [client 24.88.28.29] File does not exist: /Library/WebServer/Documents/NULL.printer
[Sun Mar 21 07:48:48 2004] [error] [client 146.87.180.118] File does not exist: /Library/WebServer/Documents/M83A
[Sun Mar 21 11:27:27 2004] [error] [client 137.205.192.155] File does not exist: /Library/WebServer/Documents/M83A
[Mon Mar 22 04:00:54 2004] [error] [client 211.139.7.173] File does not exist: /Library/WebServer/Documents/scripts/nsiislog.dll
[Tue Mar 23 02:57:55 2004] [error] [client 81.248.246.125] File does not exist: /Library/WebServer/Documents/_vti_inf.html
|
|
|
| |
|
|
|
|
|
|
|
Posting Junkie
Join Date: Feb 2000
Location: Washington, DC
Status:
Offline
|
|
P.S. Technically, you were not hacked...
|
|
|
| |
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: Oct 2000
Location: Pasadena, CA, USA
Status:
Offline
|
|
These are zombies, Windows worms, and other scripts. Yes, they are attempting to exploit buffer overflow problems in IIS, and no, the probably won't work on your machine.
I remember a couple of years ago when the "nimda" worm was just starting to spread, I turned on the web server on one of my machines and just watched the log. It took about 15 seconds before I got my first hit, and this was a machine that did not run any public services except ssh.
Whenever I see the "activity" light on my cable modem blinking on and off, I just assume it's the latest Windows worm trying it's darndest.
|
|
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Aug 2001
Location: Madison, WI
Status:
Offline
|
|
Originally posted by eyadams:
These are zombies, Windows worms, and other scripts. Yes, they are attempting to exploit buffer overflow problems in IIS, and no, the probably won't work on your machine.
I remember a couple of years ago when the "nimda" worm was just starting to spread, I turned on the web server on one of my machines and just watched the log. It took about 15 seconds before I got my first hit, and this was a machine that did not run any public services except ssh.
Whenever I see the "activity" light on my cable modem blinking on and off, I just assume it's the latest Windows worm trying it's darndest.
I read this and thought about how I haven't looked at my home machine's access_log for a while, so I ssh'ed in and tail -n 111 -f on it to look. As I'm reviewing the log, it gets a hit with that giant repeating string. There are even default.ida hits- Code Red. I guess that will never completely go away.
Guess what- my webserver is up and running just fine. Keep trying, zombies.
|
|
OS X: Where software installation doesn't require wizards with shields.
|
| |
|
|
|
|
|
|
|
Clinically Insane
Join Date: Nov 1999
Status:
Offline
|
|
You were not hacked. Someone did try, as you suspected, but he failed to get in. This seems to have been an actual person, rather than a bot, but whoever it was still didn't manage.
Isn't OSX great? 
|
|
You are in Soviet Russia. It is dark. Grue is likely to be eaten by YOU!
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Apr 2000
Location: Los Angeles, CA
Status:
Offline
|
|
There are even default.ida hits- Code Red. I guess that will never completely go away.
Tell me about it. I still have strains of Nimda, Sobig, Code Red, and other annoying "noise" viruses in the network.
The more annoying aspect with attempted exploits is that multiple attempts can potentially result in a denial of service. My cable connection alone is slow as it is, so I don't need no stinkin' hack attempts sucking up (what's left of) my bandwidth, thank you very much.
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
 
|
|
|
Forum Rules
|
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|
Top