what are they doing at my site?!

Results 1 to 6 of 6

Thread: what are they doing at my site?!

  1. #1
    Join Date
    Dec 1969
    Posts
    716

    Default what are they doing at my site?!

    lately, i&#039;ve noticed some weird logs in my log files. i&#039;ve never seen anything like this before, here is a sample of some of the logs, (i&#039;ve excluded the ip):<BR><BR>10:48:22 GET /scripts/..ð€€¯../winnt/system32/cmd.exe 403<BR>10:48:22 GET /scripts/..ø€€€¯../winnt/system32/cmd.exe 403<BR>10:48:22 GET /scripts/..ü€€€€¯../winnt/system32/cmd.exe 403<BR>10:48:22 GET /msadc/../../../../../../winnt/system32/cmd.exe 200<BR>10:48:24 GET /msadc/../../../../../../winnt/system32/cmd.exe 200<BR>10:48:25 GET /msadc/../../../../../../winnt/system32/cmd.exe 502<BR><BR>what is this?! as you can see, some of these worked. is this a malicious thing, or what? i&#039;ve tried to access the cmd.exe by running these same commands, but i&#039;ve seen nothing. does anyone know what cmd.exe is and what it does? is there some preventative stuff i need to do or what?<BR><BR>thx,<BR>justin

  2. #2
    Join Date
    Dec 1969
    Posts
    848

    Default YOU ARE BEING HACKED!!!!!!!

    This happened to one of our servers today as well, if you heard about a problem with some print driver thing with IIS 5.0, that is what they are doing, I suggest that you contact the CERT, and possibly the FBI if you have sensitive Info on your site. If their was anything about <BR>f*ck+USA+Government^^^^^f*ck+PoizonBOx<BR>in any of your log files, let me know by posting your email address<BR><BR>

  3. #3
    RDM Guest

    Default Hackers...

    File/Print server hack that is out now. If you should down the File/Print services on the web server, this will take care of it.<BR>If you can&#039;t (because you need the service), then download MS patch at their site.

  4. #4
    Join Date
    Dec 1969
    Posts
    716

    Default RE: Hackers...

    is that disable the ftp server? what exactly is acheived by running cmd.exe?<BR><BR>thx for the quick response, i&#039;ll get the patch and stop the file server, i guess? can i really not run the FTP?


  5. #5
    al dawg Guest

    Default RE: Hackers...

    cmd on an NT/win2k box is the dos shell prompt. I don&#039;t know alot about hacking and how giving that command over a browser would work, but I know at work (IT Manager) CMD gives me dos shell access to use some of my dos commands.

  6. #6
    RDM Guest

    Default Nah...

    If you have your "Printer" service running shut it down if you don&#039;t need to print directly from the web server.<BR>Look in "Services" to see if it&#039;s even running. It may not be.<BR>What you in your logs is likely error messages because the bastards couldn&#039;t get in.<BR><BR>Hackers suck...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •