hackers?
 

I just took a look in my apache access log and found tons of lines of the following sort of stuff:

12.203.241.89 - - [02/Oct/2003:19:29:05 -0400] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309
12.203.241.89 - - [02/Oct/2003:19:29:05 -0400] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309
12.203.241.89 - - [02/Oct/2003:19:29:05 -0400] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309
12.203.241.89 - - [02/Oct/2003:19:29:06 -0400] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309
12.203.241.89 - - [02/Oct/2003:19:29:06 -0400] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 293
12.203.241.89 - - [02/Oct/2003:19:29:06 -0400] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 293
12.203.241.89 - - [02/Oct/2003:19:29:06 -0400] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
12.203.241.89 - - [02/Oct/2003:19:29:06 -0400] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
63.167.200.20 - - [03/Oct/2003:11:11:37 -0400] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 -
216.204.145.242 - - [05/Oct/2003:17:55:32 -0400] "GET /scripts/nsiislog.dll" 404 -

What is this?
What should I do about it?

appears to be some miscreant trying to crack your rig. but they're amateur because they didn't bother to see that you are not running Winblows. ha ha!

get your firewall up.

Thanks!
That's what I was guessing, just wanted to be sure...

I still want to be able to use my http server for my web page... How should I set up my firewall?

In the System Preferences::Sharing there is a firewall tab that lets you turn on the OS X default firewall. This should be sufficient for your needs. I'm assuming you are using 10.2.* I can't quite remember if the firewall was shipped or available through the System Pref in 10.0.* or 10.1.*

I thought that using the firewall would block those ports completely... I am using my web server (and some other servers) right now. Should I still turn on the firewall?

Thanks!

You can choose what ports you want to allow to remain open with the Apple control.
The problem with the Apple control (IMO) is that you cannot specify addresses that are allowed/disallowed, and you cannot set it to log to your system.log. For that you should learn ipfw from the CLI or get a GUI controller like BrickHouse or SunShield.

Yellow,

Isn't Apple's pref panel just a front end for ipfw?

It is indeed, with a minimum of control. Seems to me like an afterthought they threw in...

Minimum of thought or catering to the least common denominator IMHO. :cool:

I think they wanted Joe User to be able to simply click on a button to turn on the firewall.

They should've added some sort of an "advanced" tab/panel/button/whatever to give us access to more granular control via the GUI.

I agree on both accounts.. they defintely wanted to make it easy. But should have had the time/forethought to include some more important controls.

This could also be a Code Red attack on your machine. See this article for some other examples.

The short answer (from the Apache Docs) is that "You can safely ignore these error messages as they do not affect Apache."

certainly not code red, but nimda....
 

there are still millions of users who have no idea that they are running a webserver on their machines By Default .... Thanks for that one....MS, but that is why they never bothered to grab an update which will remove the worms and patch the holes.

now in the days of Broadband you are up on the net with an option to project even your PPPoE address to the net if you set the router correctly.

when you are running an older version of IIS server on windows, you will probably become instantly infected, and then your machine will be sending the same kind of requests out to your network neighbors.

these are not hurting your machine, but they are bothersome nonetheless. first of all they fill up youur logs with nonsense, secondly they waste bandwidth and take http slots away from your other visitors.

There are some solutions where you can route these requests to a separate log file, and you can set rules in the /etc/httpd/httpd.conf file to send a special warnings.

If you dig in the archives from august to October of 2001 you will find some other comments.

by playing around with some of the addresses obtained from recent logs, I have been able to see into their scripts directory, and possibly even rearrange their files... ;)

I have written letters to ISP and did my best to inform users of the dangers of running Windows on the network....

It is a big job and microsoft has tomorrow's virus to worry about. Be glad you use Macintosh!!!

jimr, our family has a network consisting of 2 Macs and 2 PCs, all connected to a cable modem through a router. The router is supposed to have a firewall with the firewall turned on. Of course, I have my Mac and my daughter's Mac set up with the OS firewall turned on. My husband has a software firewall turned on his Windows computer, as well.

The concern I have is with my other daughter's computer. She has an old Pentium II, running Windows 95 ("running" may not be the right word for it as she's got it so badly messed up, it crashes every few minutes).

Recently, her friends have discovered some way of literally crashing each other's computer through AIM. I've watched it happen. Someone tells her in AIM that he's going to crash her computer, and sure enough, her computer crashes. She claims to have done to same to others. They think it's a funny game.

At the same time, she ran a scan on her computer and discovered a virus. Hubby's not here, and I know nothing about Windows. All I could tell is that she had downloaded something called "backdoor" that the scanning software said was a trojan. I removed it, of course, and then she complained that she can't crash anyone anymore so I suspect this was the program that was doing the crashing. Others can still crash her. She just can't crash them back. BTW, she has discovered that they can't crash her if she's on her sister's Mac G3. ;)

My husband had me shut down his Windows computer immediately because he was scared that there was a hole in our hardware firewall since the kids can puncture through to crash my daughter's computer. Daughter wants me to wipe out her HD and reload Win95, but I ain't gonna do it until daughter learns her lesson -- you don't download everything in sight without scanning it! A few more months of crashes might drive the concept home. She's 13 and a bit stubborn, a difficult combination. She says she wants to learn C++ to get them back (shudder!). I've informed daughter that she's very close to becoming a computerless child.

I know this is a Mac board, but I don't know any smart Windows people. :D You guys seem to know a lot about computers in general. While I'm not necessarily a computer dummy, I am a firewall dummy. I can't seem to pass the knowledge into my thick skull. I just don't "get" firewalls. I understand the overall basic concept, but not how to effectively USE a firewall other than to turn it off or on (I'm the firewall dummy Apple was targeting).

Does the fact that some kids are able to physically crash my daughter's computer through AIM indicate a problem with our router's firewall? Since we have 3 other computers on this same network, can this activity affect the other computers? What logs should I check on my Macs to see what's going on? And does anyone know of a resource I can use to help better protect my daughter's Win95 computer?

According to my ISP supporting son:

"no, it doesn't indicate a problem with the firewall. it does indicate a hole, but its the same hole the AIM messages are coming through, and the firewall most likely thinks they're legitimate.

so basically, with her dumbass computer crashing friends, its either no AIM and no remote crashes, or AIM and remote crashes.

their choice."

Vicki, you should probably start another thread with this problem.

Quick/simple answer: firewalls compare packets (the way that networkable applications talk to each other) to rules. The rules tell it allow or deny (there are other things it can do, but keeping it simple) the packet beyond the firewall. For example:

You have a Web server running on your Mac. You have a firewall. You allow everyone in the world to connect to it, except people coming from evil.giantsoftware.com. Those people you've blocked with your firewall.

Joe Foo from lala.land.net wants to view your web pages, so opens his web browser and types in your web address. The first packet that gets sent from his computer (and each subsequent packet) gets stopped at the 'border' by your firewall. You firewall checked out where the packet is from (lala.land.net) and what port it's destined to (80, http), checks out the list of rules, and finds one pretty far down the list that says 'allow tcp packets from any host to vickis.computer.com provided it's heading to port 80'. The packet goes thru and bob's your uncle.

Joey Joe Joe Junior Shabadoo from evil.giantsoftware.com wants to view your web pages. Like Joe Foo, he does the same thing, his packet arrives at the firewall and is stopped and searched. The firewall sees a rule pretty close to the top of the rule list that says 'deny any packets from evil.giantsoftware.com'. That packet (and all subsequent ones) get kicked to the curb.

OK, so this isn't so short.. and it's over-simplified.. but that's simple, basic firewalling in a nutshell.

Exactly.. if AIM isn't open on her PeeCee, her friends cannot crash her. It's a bug in AIM. Does she have the latest version? Does the latest version even run on Win95?

Thank you! Yes, that makes sense. Yellow, thanks for the explanation of how firewalls work. Last year, Merv pointed me to an excellent online video that went into depth explaining firewalls. Your simplified explanation helped me to better understand it all. If I keep at this, I just might catch on! :D

I asked my darlin' daughter to explain to me more fully what's happening when everyone's crashing each other, and she said that most of the kids are only crashing their AIM programs. She thinks the only reason they are able to crash her entire computer is because (1) her computer crashes just because it's turned on, (2) her computer crashes because 60 seconds have passed and so it's time to crash, and (3) her computer crashes anytime anything goes wrong -- so when the kids crash her AIM, it crashes her entire computer. And that follows precisely with the info you guys have offered here. I think I understand what's going on now.

I don't know if she can get the latest AIM while running Win95, and, honestly, I don't care. When she first began using that computer, in all her youthful wisedom (NOT!), she completely rejected any and all advice her father and I gave her. She took great pleasure at snubbing Macintosh computers ("Yeah, Mom, but you can't run THIS program, Ha!"). She downloaded everything in sight without a clue. She added huge, memory hog backgrounds, added fancy mouse pointers, and just basically went wild. Attempting to tell her that she only had a Pentium II with 64MB RAM and a 6GB HD and that she needed to be careful of viruses and trojans didn't phase her one bit. So I sat back and let her go. Waiting. And, sure enough, her computer is so badly messed up that she had to borrow her sister's Mac G3 last night just to print off some .jpg pictures from the internet. Sometimes experience is the best teacher, and this kid needed to learn a few lessons.

As long as our network is safe, I'm going to let her gain a bit more experience in her barely running, constantly crashing, slow as a snail Windows PeeCee before I go in and clean up her mess. I don't expect it'll take too much longer before she'll be ready to listen to Mom and Dad's advice on how to properly use a computer. In the meantime, if she can't run her AIM because the other kids keep crashing her, well, I see no big loss there! I don't think her school work requries AIM. ;) She may be stubborn, but I'm even more so. :D

yes, a bug in AIM. even more reason to use: Trillian (http://www.ceruleanstudios.com/ free and doesn't get 'punted' (remote crash feature)) - for pee-cees.

yes, and the server logs above are not from Code Red, but this: http://www.snort.org/snort-db/sid.html?sid=1945 (aka: directory traversal) and apache is unaffected

Thanks, hakalugi! I will suggest Trillian to my daughter. I expect she's gained enough experience to accept such a suggestion now. :D

Since your daughter has her own machine the answer may be simple. Force her to use only her own machine... This is the approach I took when my kids were in a phase something like this.

And make her learn to maintain it herself... A couple of rounds of rebuilding a borked windows setup will convince her there is little amusing in repeated system crashes. My guys quickly learned to be suspicious of downloads, to be protective of their systems' integrity and to handle all sorts of problems themselves because they had to be their own system administrators. My daughter switched to Mac!

And learning C++ or the like on top of system maintainance might well turn out to be your daughter's 'ticket to ride' ('meal ticket') in an uncertain future...

rgray, that is an excellent idea! I see absolutely no reason why she can't rebuild her own system. I have all of the documents and manuals neatly tucked away in the bookcase. She can learn what RTFM means while she's at it. Maybe she'll not only learn to be more protective of her own computer, but also be more respectful of other people's computers and not play games with AIM crashing idiots.

Well, she said she wanted to learn to program. I guess learning to install her own system is a good place to start. :D

Like I said, I knew you guys were smart! :p

Well, some interesting information here, I never expected to see such a response...

The biggest problem I see is that the Windows 95 box is virtually unsupported by MS. This is really not a microsoft problem, it is a marketing problem. (you can't get much support for MacOS 7.5 either!!)

the fact that your Daughter wants to learn more about her computer is in itself encouraging. We hope that she and here friends move towards application development rather than in the direction which will cause them to violate the emerging Homaland security Laws which will land them in Jail for applying that sort of knowledge on a grander scale a little bit of knowledge.

I believe they are playing with an old windows 95 vulnerability exploit which was refferred to as the "ping of death". Your firewall may or may not be able to block this sort of attack by limiting the size of incoming packets or blocking any outside source which has a high frequency of attempts on a specified port or address.

As mentioned above, these are all topics for another complete topic unto themselves.

At one level a computer is a computer. and the network connections and ports are all the same. This creates inter-operability. The main difference between manufacturers, is the configuration of the machines internal software and the exposure of the ports in the default configuration.

Modern routers, which you have, can be configured to disallow certain types of activity -- both incoming and outgoing traffic may be controlled.

Additionally, a good virus checker will check downloaded and other imported files for any signs of infections which may cause dataloss or compromise your family security.

all of these things are good to have and just to reiterate the underlying message of my previous post, "Be Careful!!"

Back to Nimda and Code red, these worms use a technique whereby they overload a component in the windows machine used for the Personal websharing . they send a particular string of large characters which overloads the component and while the machine is doing that it "forgets" where the signal came from and executes the final part as if it was performing an instruction which you gave it.

that instruction usually ends up being something which is beneficial to loading and executing the virus in your system.

Now, there are many variants which use these techniques. the original macos was not susceptable to these things because most ports were completely turned off. There were a handful of viruses which came from software typically traded on floppy disk or by BBS system in the old days. At this moment there are worms which will attack Unix machines, but the BSD core technology has a very good track record for repelling such attacks.

So mostly, you should set your firewalls and your configuration files to either ignore or fail to respond to typical attack patterns.

How to do that exactly is another long subject, and I suggest looking on the symantec website (SARC) http://www.symantec.com for virus advisories and recommendations for blocking such net-bound attacks.

Certainly we have no idea when or where the succesful MacOSX virus will appear, Norton antivirus just checks your email and documents for MSOffice Macro Viruses which may run within Microsoft products and damage your files or compromise your personal information in some way.