web sever got owned :wtc:

Discussion in 'OT Technology' started by Leb_CRX, Dec 7, 2003.

  1. Leb_CRX

    Leb_CRX OT's resident terrorist

    Joined:
    Apr 22, 2001
    Messages:
    39,994
    Likes Received:
    0
    Location:
    Ottawa, Canada
    lately I been noticing tons of unwanted traffic on my webserver...

    bunch of shit like trying to run cmd and what not, and it would go on for pages, more then normal traffic, I dont care, so I was laughing it off cause clearly they wasent successful....but today I turned on my monitor, and I notice it's not booting...oh noes 'invalid system disk' or someshit...hahaha looks like I got owned, if it's from someone on this board that did this, holla, I dont give a fuck, I turned on the monitor to shut it down since I am brining it to a friend's house to install linux on it anyhow...

    talk about good coincidience...now I worry that my soon to be (after work today) rh9 box will get hacked.. :ugh: :ugh:

    I was running win2k, latest security patches and apache2.0...

    I wonder if there's anyway to recover the log files to see exactly what was succesful and what was not, and what they did exactly...and I wonder exactly what they did, i'll probally pull out the HD and take a look at it from my friend's machine to see if there's any data left on it :x: :x: :x: :x:
     
  2. MattIROC

    MattIROC has a semi nice av. changed due to rules :(

    Joined:
    Mar 2, 2003
    Messages:
    4,356
    Likes Received:
    0
    Location:
    San Antonio, Tx
    sucks that someone got into it :(
     
  3. CyberBullets

    CyberBullets I reach to the sky, and call out your name. If I c

    Joined:
    Nov 13, 2001
    Messages:
    11,865
    Likes Received:
    0
    Location:
    BC, Canada/Stockholm, Sweden
    boot of ur cd and launch recovery console. who knows ur boot.ini could of been erased!
     
  4. Rob

    Rob OT Supporter

    Joined:
    Jul 6, 2002
    Messages:
    88,626
    Likes Received:
    41
    Location:
    Atlanta, GA
    Does anyone else think that it is highly unlikey that the two things he said are realted?
     
  5. TheDarkHorizon

    TheDarkHorizon \xC0\xFF\xEE

    Joined:
    Sep 26, 2002
    Messages:
    2,396
    Likes Received:
    0
    Location:
    San Francisco, CA
    Me.

    You are probably getting probed by the NIMDA virus, which is very likely to occur when you run a webserver on your home ISP. I get IIS vuln scans every hour from other Comcast hosts. I just ignore them. You can't really "laugh at people scanning you" becuase more than likely it is a virus/trojan doing it without intention from the user on remote end.

    I'd do more troubleshooting before jumping to the conclusion that your machine was hacked.
     
  6. ChosenGSR

    ChosenGSR Mama always said you'd be the chosen one

    Joined:
    Oct 24, 2001
    Messages:
    51,094
    Likes Received:
    241
    Location:
    HoCo, MD
    :werd:
     
  7. Leb_CRX

    Leb_CRX OT's resident terrorist

    Joined:
    Apr 22, 2001
    Messages:
    39,994
    Likes Received:
    0
    Location:
    Ottawa, Canada
    actually y'all are right, I got to my friend's house and the BIOS didn't even detect the HD...wtf, we ended up getting pissed, and tried it about 4-5 times before we took it out of my machine and tryed it on his...anyhow, we droped it in the process, and when we plugged it into his machine it detected fine, then we plugged it back in mine and it was working again :dunno:

    some weird shit is going on, now the HD works whenver it wants and dosent work sometimes...some fucked up shit for sure

    anyone got a small HD for sale? something thats >4 <10
     
  8. Leb_CRX

    Leb_CRX OT's resident terrorist

    Joined:
    Apr 22, 2001
    Messages:
    39,994
    Likes Received:
    0
    Location:
    Ottawa, Canada
    the thing that dosent make sence is that same IP was browsing through my site a day or two before...well from what I remember and It's on the rogers domain, not that it matters, and it was really inconsistant, like it's been going on for like 3-4 days or so, and it's not the same shit being ran, and it's sometimes in afternoon, sometimes at night...

    anyhow, i'm gonna do some reading on the NIMDA virus, you could defintivally be right :hs:
     
  9. Leb_CRX

    Leb_CRX OT's resident terrorist

    Joined:
    Apr 22, 2001
    Messages:
    39,994
    Likes Received:
    0
    Location:
    Ottawa, Canada
    thing is the log files read whoever/whatever was doing this trying to access the cmd.exe...

    who knows if they are successful in running that, as far as I know, they can't, but I dont know much about what can or cannot be run
     
  10. Rob

    Rob OT Supporter

    Joined:
    Jul 6, 2002
    Messages:
    88,626
    Likes Received:
    41
    Location:
    Atlanta, GA
    Back when my webserver used to be run off AT&T Cable Service my error logs would be flodded with requests for that. Like was stated earlier it was Nimda or Code Red.

    You said it was Apache on Win2k anyways, Apache isn't open to teh Nimda and Code Red attacks. Only IIS is.
     
  11. Dommi

    Dommi Guest

    second that its probably nimda
     
  12. stillspiraling

    stillspiraling Would you like some making fuck, BERSERKER

    Joined:
    Sep 6, 2003
    Messages:
    1,380
    Likes Received:
    0
    Location:
    in a dream within a dream?
    run a gentoo linux server and worry no more about any of that. emerge sync and emerge -U world about once a week... Also run iptables. Linux is the only way to go for a more secure server.
     
  13. Scoob_13

    Scoob_13 Anything is possible, but the odds are astronomica

    Joined:
    Oct 5, 2001
    Messages:
    73,798
    Likes Received:
    38
    Location:
    Fort Worth. Hooray cowgirls.
    .....Due to this interesting statement of ">4 < 10" I hereby withdraw my support for you as C&P mod :p


    4<X<10 :fawk:
     
  14. Rob

    Rob OT Supporter

    Joined:
    Jul 6, 2002
    Messages:
    88,626
    Likes Received:
    41
    Location:
    Atlanta, GA

    :rofl:
     
  15. CyberBullets

    CyberBullets I reach to the sky, and call out your name. If I c

    Joined:
    Nov 13, 2001
    Messages:
    11,865
    Likes Received:
    0
    Location:
    BC, Canada/Stockholm, Sweden
    :o :rofl:
     
  16. Leb_CRX

    Leb_CRX OT's resident terrorist

    Joined:
    Apr 22, 2001
    Messages:
    39,994
    Likes Received:
    0
    Location:
    Ottawa, Canada
    you will have to excuse me I wrote that at work and I type faster then I can think so :o :o
     

Share This Page