Hacking attempt?

Discussion in 'Windows Desktop Systems' started by Glaanieboy, Oct 24, 2003.

  1. Glaanieboy

    Glaanieboy Moderator

    Messages:
    2,626
    Location:
    The Netherlands
    I just checked my Apache2 logs and foudn this:
    Code:
    202.9.*.* - - [24/Oct/2003:21:39:46 +0200] "GET /scripts/nsiislog.dll" 404 306
    (part of the IP has been removed for privacy issues)

    I traced the IP back to a provider somewhere in India, since I don't know anyone in India and seeing that he/she is trying to access a IIS(?) log script(?), should I block the IP? Or is this normal?
     
  2. SPeedY_B

    SPeedY_B I may actually be insane.

    Messages:
    15,800
    Location:
    Midlands, England
    probably a crawler/robot. As it says, they received a 404 anyway(?), so it shouldn't really matter.

    Probably only really worth blocking the IP if it's a repeated event.
     
  3. j79zlr

    j79zlr Glaanies script monkey Political User

    Messages:
    2,725
    Location:
    Chicago
    Don't worry, I get these in my 404 logs all the time:

    /MSADC/root.exe?/c+dir

    /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir

    etc, that is the NIMDA or Code Red trojan, but I'm on FreeBSD :) so good luck infecting me.
     
  4. SPeedY_B

    SPeedY_B I may actually be insane.

    Messages:
    15,800
    Location:
    Midlands, England
    *tries really hard* >_<

    :p
     
  5. j79zlr

    j79zlr Glaanies script monkey Political User

    Messages:
    2,725
    Location:
    Chicago
  6. X-Istence

    X-Istence * Political User

    Messages:
    6,498
    Location:
    USA
    Thats just nimda/code red.

    I get about 5,000 of those request a day.
     
  7. Glaanieboy

    Glaanieboy Moderator

    Messages:
    2,626
    Location:
    The Netherlands
    But it only affects IIS on a Windows machine, right?
     
  8. j79zlr

    j79zlr Glaanies script monkey Political User

    Messages:
    2,725
    Location:
    Chicago
  9. SPeedY_B

    SPeedY_B I may actually be insane.

    Messages:
    15,800
    Location:
    Midlands, England
    Correct :)

    [edit] Beaten to it :D
     
  10. Leevoy

    Leevoy Guest

    Well the most hack attempts I get are from the middle east or asia.

    On the other hand I get a few via europe with the user having an asian or middle east server.

    Probably better off just blocking their addie for the time being.
     
  11. Bronx Bomber

    Bronx Bomber Guest

    most of the attempts i get are from brazil. they got a real problem with hackers over there.
    then i get the guys who try to hide their identity by using some a different IP. its really annoying.
     
  12. Friend of Bill

    Friend of Bill What, me worry?

    Messages:
    1,572
    I get em' from several parts of Asia and Brazil mainly, but none have been successful in penetrating my made-in-america defenses.;) :cool:
     
  13. Enyo

    Enyo Moderator

    Messages:
    1,338
    Just some general comments to go out in no particular order:

    1) Code Red or Nmida probes (or any worm activity for that matter) are not hacking attempts.

    2) You can not be sure of the location of an "attacker" and it not important where they are anyway.

    3) Chill out and be happy your protected :) Blacklist repetitive IPs that cause you grief.
     
  14. Leevoy

    Leevoy Guest

    I wonder if they could just send us the honey's from brazil and let the guys go nuke each other with their trojans and leave the chicks to us red blooded sport minded guys ;)