Page 1 of 2 12 LastLast
Results 1 to 16 of 17

Thread: hack attempt?

  1. #1
    Sublime HEXUS.net
    Join Date
    Jul 2003
    Location
    The Void.. Floating
    Posts
    11,819
    Thanks
    213
    Thanked
    233 times in 160 posts
    • Stoo's system
      • Motherboard:
      • Mac Pro
      • CPU:
      • 2*Xeon 5450 @ 2.8GHz, 12MB Cache
      • Memory:
      • 32GB 1600MHz FBDIMM
      • Storage:
      • ~ 2.5TB + 4TB external array
      • Graphics card(s):
      • ATI Radeon HD 4870
      • Case:
      • Mac Pro
      • Operating System:
      • OS X 10.7
      • Monitor(s):
      • 24" Samsung 244T Black
      • Internet:
      • Zen Max Pro

    hack attempt?

    Just noticed this in my apache access log..

    82.40.97.157 - - [03/Apr/2005:06:41:14 +0100] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02..... (etc etc etc)
    \x90\x90\x90\x90\x90\x90\x90..... (etc etc etc)" 414 337
    the \x90 and \x02\xb1 went on for aaaaages..

    anyone come across this before?
    (\__/)
    (='.'=)
    (")_(")

  2. #2
    Agent of the System ikonia's Avatar
    Join Date
    May 2004
    Location
    South West UK (Bath)
    Posts
    3,736
    Thanks
    39
    Thanked
    75 times in 56 posts
    I get stuff like this all the time in webserver logs, its pretty much the same as when you used to see

    /winnt/system32/cmd.exe in the logs, even though it was on a unix host.

    apache is just logging the requests people are making, some of them are attempts to exploit.

    you can't stop this, just make sure you host is as closed to exploits as possible
    It is Inevitable.....


  3. #3
    Sublime HEXUS.net
    Join Date
    Jul 2003
    Location
    The Void.. Floating
    Posts
    11,819
    Thanks
    213
    Thanked
    233 times in 160 posts
    • Stoo's system
      • Motherboard:
      • Mac Pro
      • CPU:
      • 2*Xeon 5450 @ 2.8GHz, 12MB Cache
      • Memory:
      • 32GB 1600MHz FBDIMM
      • Storage:
      • ~ 2.5TB + 4TB external array
      • Graphics card(s):
      • ATI Radeon HD 4870
      • Case:
      • Mac Pro
      • Operating System:
      • OS X 10.7
      • Monitor(s):
      • 24" Samsung 244T Black
      • Internet:
      • Zen Max Pro
    *evil laugh*

    Code:
    <IfModule mod_rewrite.c>
    RedirectMatch permanent (.*)cmd.exe(.*)$ http://www.microsoft.com
    RedirectMatch permanent (.*)root.exe(.*)$ http://www.microsoft.com
    RedirectMatch permanent (.*)\/_vti_bin\/(.*)$ http://www.microsoft.com
    RedirectMatch permanent (.*)\/scripts\/\.\.(.*)$ http://www.microsoft.com
    RedirectMatch permanent (.*)\/_mem_bin\/(.*)$ http://www.microsoft.com
    RedirectMatch permanent (.*)\/msadc\/(.*)$ http://www.microsoft.com
    RedirectMatch permanent (.*)\/MSADC\/(.*)$ http://www.microsoft.com
    RedirectMatch permanent (.*)\/c\/winnt\/(.*)$ http://www.microsoft.com
    RedirectMatch permanent (.*)\/d\/winnt\/(.*)$ http://www.microsoft.com
    RedirectMatch permanent (.*)\/x90\/(.*)$ http://www.microsoft.com
    </IfModule>
    (\__/)
    (='.'=)
    (")_(")

  4. #4
    Goat Boy
    Join Date
    Jul 2003
    Location
    Alexandra Park, London
    Posts
    2,428
    Thanks
    0
    Thanked
    0 times in 0 posts
    Hehe nice work stoo!
    "All our beliefs are being challenged now, and rightfully so, they're stupid." - Bill Hicks

  5. #5
    Agent of the System ikonia's Avatar
    Join Date
    May 2004
    Location
    South West UK (Bath)
    Posts
    3,736
    Thanks
    39
    Thanked
    75 times in 56 posts
    Hmmm, be interesting to see if MS get snotty.

    I dont' think they like people forwarding to their site

    I like your style.
    It is Inevitable.....


  6. #6
    Sublime HEXUS.net
    Join Date
    Jul 2003
    Location
    The Void.. Floating
    Posts
    11,819
    Thanks
    213
    Thanked
    233 times in 160 posts
    • Stoo's system
      • Motherboard:
      • Mac Pro
      • CPU:
      • 2*Xeon 5450 @ 2.8GHz, 12MB Cache
      • Memory:
      • 32GB 1600MHz FBDIMM
      • Storage:
      • ~ 2.5TB + 4TB external array
      • Graphics card(s):
      • ATI Radeon HD 4870
      • Case:
      • Mac Pro
      • Operating System:
      • OS X 10.7
      • Monitor(s):
      • 24" Samsung 244T Black
      • Internet:
      • Zen Max Pro


    Well, they're obviously looking for something microsoft created
    (\__/)
    (='.'=)
    (")_(")

  7. #7
    Ex-MSFT Paul Adams's Avatar
    Join Date
    Jul 2003
    Location
    %systemroot%
    Posts
    1,926
    Thanks
    29
    Thanked
    77 times in 59 posts
    • Paul Adams's system
      • Motherboard:
      • Asus Maximus VIII
      • CPU:
      • Intel Core i7-6700K
      • Memory:
      • 16GB
      • Storage:
      • 2x250GB SSD / 500GB SSD / 2TB HDD
      • Graphics card(s):
      • nVidia GeForce GTX1080
      • Operating System:
      • Windows 10 x64 Pro
      • Monitor(s):
      • Philips 40" 4K
      • Internet:
      • 500Mbps fiber
    Doesn't an HTTP redirect require client-side action?
    The worms which are trying to check for vulnerabilities aren't likely to follow a redirect I think...

    It's also a little sad really.
    ~ I have CDO. It's like OCD except the letters are in alphabetical order, as they should be. ~
    PC: Win10 x64 | Asus Maximus VIII | Core i7-6700K | 16GB DDR3 | 2x250GB SSD | 500GB SSD | 2TB SATA-300 | GeForce GTX1080
    Camera: Canon 60D | Sigma 10-20/4.0-5.6 | Canon 100/2.8 | Tamron 18-270/3.5-6.3

  8. #8
    Bigger than Jesus Norky's Avatar
    Join Date
    Feb 2005
    Posts
    1,579
    Thanks
    1
    Thanked
    8 times in 8 posts
    No the redirects are server side Apache

  9. #9
    Ex-MSFT Paul Adams's Avatar
    Join Date
    Jul 2003
    Location
    %systemroot%
    Posts
    1,926
    Thanks
    29
    Thanked
    77 times in 59 posts
    • Paul Adams's system
      • Motherboard:
      • Asus Maximus VIII
      • CPU:
      • Intel Core i7-6700K
      • Memory:
      • 16GB
      • Storage:
      • 2x250GB SSD / 500GB SSD / 2TB HDD
      • Graphics card(s):
      • nVidia GeForce GTX1080
      • Operating System:
      • Windows 10 x64 Pro
      • Monitor(s):
      • Philips 40" 4K
      • Internet:
      • 500Mbps fiber
    Yes, but the response to the client is "the content you wanted is over there --->" is it not?
    And then the client has to re-request the data from the new location?
    Otherwise the server would have to retrieve the data and return it for you...

    HTTP return code 3xx or something, if memory serves - instructs the client to go speak to the new location for the requested resource.
    ~ I have CDO. It's like OCD except the letters are in alphabetical order, as they should be. ~
    PC: Win10 x64 | Asus Maximus VIII | Core i7-6700K | 16GB DDR3 | 2x250GB SSD | 500GB SSD | 2TB SATA-300 | GeForce GTX1080
    Camera: Canon 60D | Sigma 10-20/4.0-5.6 | Canon 100/2.8 | Tamron 18-270/3.5-6.3

  10. #10
    Sublime HEXUS.net
    Join Date
    Jul 2003
    Location
    The Void.. Floating
    Posts
    11,819
    Thanks
    213
    Thanked
    233 times in 160 posts
    • Stoo's system
      • Motherboard:
      • Mac Pro
      • CPU:
      • 2*Xeon 5450 @ 2.8GHz, 12MB Cache
      • Memory:
      • 32GB 1600MHz FBDIMM
      • Storage:
      • ~ 2.5TB + 4TB external array
      • Graphics card(s):
      • ATI Radeon HD 4870
      • Case:
      • Mac Pro
      • Operating System:
      • OS X 10.7
      • Monitor(s):
      • 24" Samsung 244T Black
      • Internet:
      • Zen Max Pro
    *shrug*
    (\__/)
    (='.'=)
    (")_(")

  11. #11
    LWA
    LWA is offline
    Senior Member
    Join Date
    Jul 2003
    Location
    London
    Posts
    2,171
    Thanks
    134
    Thanked
    57 times in 41 posts
    Personally I loved the redirects

    Paul - surely Microsoft can handle it

  12. #12
    Ex-MSFT Paul Adams's Avatar
    Join Date
    Jul 2003
    Location
    %systemroot%
    Posts
    1,926
    Thanks
    29
    Thanked
    77 times in 59 posts
    • Paul Adams's system
      • Motherboard:
      • Asus Maximus VIII
      • CPU:
      • Intel Core i7-6700K
      • Memory:
      • 16GB
      • Storage:
      • 2x250GB SSD / 500GB SSD / 2TB HDD
      • Graphics card(s):
      • nVidia GeForce GTX1080
      • Operating System:
      • Windows 10 x64 Pro
      • Monitor(s):
      • Philips 40" 4K
      • Internet:
      • 500Mbps fiber
    Oh I'm sure the servers can cope, that's not the point.

    1 - it's not likely to even work

    2 - if it did redirect and the worm sends a request to the MS website then it still won't work and it's a waste of bandwidth for the ISP the infected client is coming from and the hosting company of the site

    3 - it doesn't achieve anything useful at all - even if this method did work it would be more beneficial (and less destructive) to (for example):
    -- redirect the client back to 127.0.0.1
    -- ignore the request and not even acknowledge it, wasting the client's time
    -- have an automated whois & abuse email to the ISP


    It strikes me as misguided as the "retaliation attack" programs that plagued IRC for years, where clients which were nuked launched an attack back on where the original attack appeared to come from - which could be an innocent if the source address was spoofed.

    But I'm used to being in minority, 'cos it's always cool to bash Microsoft...
    ~ I have CDO. It's like OCD except the letters are in alphabetical order, as they should be. ~
    PC: Win10 x64 | Asus Maximus VIII | Core i7-6700K | 16GB DDR3 | 2x250GB SSD | 500GB SSD | 2TB SATA-300 | GeForce GTX1080
    Camera: Canon 60D | Sigma 10-20/4.0-5.6 | Canon 100/2.8 | Tamron 18-270/3.5-6.3

  13. #13
    LWA
    LWA is offline
    Senior Member
    Join Date
    Jul 2003
    Location
    London
    Posts
    2,171
    Thanks
    134
    Thanked
    57 times in 41 posts
    Quote Originally Posted by Paul Adams
    But I'm used to being in minority, 'cos it's always cool to bash Microsoft...
    Dude, seriously you are blowing this all out of proportion...

    but yes it was a bit of a laugh at Microsoft

    And yes I know you work there but calm down mate it is all in good fun.

  14. #14
    Ex-MSFT Paul Adams's Avatar
    Join Date
    Jul 2003
    Location
    %systemroot%
    Posts
    1,926
    Thanks
    29
    Thanked
    77 times in 59 posts
    • Paul Adams's system
      • Motherboard:
      • Asus Maximus VIII
      • CPU:
      • Intel Core i7-6700K
      • Memory:
      • 16GB
      • Storage:
      • 2x250GB SSD / 500GB SSD / 2TB HDD
      • Graphics card(s):
      • nVidia GeForce GTX1080
      • Operating System:
      • Windows 10 x64 Pro
      • Monitor(s):
      • Philips 40" 4K
      • Internet:
      • 500Mbps fiber
    Quote Originally Posted by Big Leon
    Dude, seriously you are blowing this all out of proportion...

    but yes it was a bit of a laugh at Microsoft

    And yes I know you work there but calm down mate it is all in good fun.
    I'm not getting worked up, don't worry

    I have spent years working in IT security and see many things like this which in my opinion are irresponsible, it is not the fact that Microsoft are the target that made me write the reply - I would have responded the same if the target had been any other site.

    It's an observation on the intention and method, not the target, and an attempt to make people see the possible side effects of their actions.
    ~ I have CDO. It's like OCD except the letters are in alphabetical order, as they should be. ~
    PC: Win10 x64 | Asus Maximus VIII | Core i7-6700K | 16GB DDR3 | 2x250GB SSD | 500GB SSD | 2TB SATA-300 | GeForce GTX1080
    Camera: Canon 60D | Sigma 10-20/4.0-5.6 | Canon 100/2.8 | Tamron 18-270/3.5-6.3

  15. #15
    Sublime HEXUS.net
    Join Date
    Jul 2003
    Location
    The Void.. Floating
    Posts
    11,819
    Thanks
    213
    Thanked
    233 times in 160 posts
    • Stoo's system
      • Motherboard:
      • Mac Pro
      • CPU:
      • 2*Xeon 5450 @ 2.8GHz, 12MB Cache
      • Memory:
      • 32GB 1600MHz FBDIMM
      • Storage:
      • ~ 2.5TB + 4TB external array
      • Graphics card(s):
      • ATI Radeon HD 4870
      • Case:
      • Mac Pro
      • Operating System:
      • OS X 10.7
      • Monitor(s):
      • 24" Samsung 244T Black
      • Internet:
      • Zen Max Pro
    Oh yes, that's *really* going to make a huge difference to anything, those 6 requests a week.. How will I be able to sleep at night?

    (\__/)
    (='.'=)
    (")_(")

  16. #16
    Now with added sobriety Rave's Avatar
    Join Date
    Jul 2003
    Location
    SE London
    Posts
    9,948
    Thanks
    501
    Thanked
    399 times in 255 posts
    Quote Originally Posted by Paul Adams
    -- ignore the request and not even acknowledge it, wasting the client's time
    -- have an automated whois & abuse email to the ISP
    I must say I like these options more than a random redirect. Ultimately why create yet more useless packets flying round the web? The bandwidth they use up is bandwidth that could instead be making someone else's transfer a bit faster.

    In the same way, system admins who configure their antivirus software to automatically send a reply to the 'sender' of virus infected emails annoy me. What a waste of time and bandwidth that is. It's called spoofing, you muppets.

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Scart hack problems (psone screen)
    By foxdonovan in forum Chassis and Mods
    Replies: 0
    Last Post: 15-02-2005, 06:41 PM
  2. MA_Luke caught using speed hack
    By Dakaras in forum PC
    Replies: 11
    Last Post: 30-09-2004, 04:09 PM
  3. For anyone else brave enough to attempt a PSone LCD mod
    By faisal_uk in forum Retail Therapy and Bargains
    Replies: 18
    Last Post: 09-06-2004, 11:37 PM
  4. My Overclock Attempt
    By suki_uk in forum PC Hardware and Components
    Replies: 10
    Last Post: 21-10-2003, 10:50 AM
  5. iPod EU Cap Hack, now Official!
    By bsodmike in forum PC Hardware and Components
    Replies: 2
    Last Post: 29-07-2003, 12:09 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •