[Mon Jul 12 18:04:38 2004] [error] [client 66.229.158.211] File does not exist: /var/www/htdocs/MSADC/root.exe

[Mon Jul 12 18:04:53 2004] [error] [client 66.229.158.211] File does not exist: /var/www/htdocs/scripts/..%2f../winnt/system32/cmd.exe

[Wed Jul 7 18:06:10 2004] [error] [client 66.229.158.211] request failed: URI too long

[Thu Jul 15 16:48:27 2004] [error] [client 66.229.158.211] File does not exist: /var/www/htdocs/default.ida

I found errors like the ones above scattered through out my error log and I was wondering if it looked like a hacking attempt gone wrong to anyone. I scrammbled the ip so as not to give away the ip of visitors to my site but it does appear to change in later error entrys.

yes those are hacking attempts, nothing you can do about it. The first 2 only affect Windows machines anyways. I bleive they are Code Red, Nimda related.

Thats just great, now how can I prevent this from happening again and what did the hacker compromise. I also take it that the hacker didn't perform a simple port scan as it looks like it's an atempt at the windows terminal server port 3389.

you can't stop it, nothing was compromised. If you have a webserver running, you are asking for someone to try and hack it. Make sure you're up-to-date with your server software, and thats 95% of the battle.

What would you say the latest version of apache, php, etc. that I should use, right now i'm using slack 10's default with apache 1.3.31.

Exactly. Use the latest stable version. It's patched up with the most recent bug fixes. Also, Nimda and CodeRed are all over the net, so don't be suprised if you see this kind of stuff all the time.

Also, you're running on Linux -- those are Windows exploits. Don't worry about it. If you want more security info, head to http://www.linuxsecurity.com/ or http://www.securityfocus.com/

so is apache 1.3.31 good, also, because it appears to be nimda or code red does that meen its just a worm or is a person actually trying to hack me.

Originally posted by Gogeta_44
because it appears to be nimda or code red does that meen its just a worm or is a person actually trying to hack me. It's just a worm, don't worry about it (unless you're running Windows and IIS ;))

Other then that, there is nothing to worry about...we've been dealing with this for the last 3+ years, it's not going to get any better soon :D

And even if you're running Windows and IIS, you're still only vulnerable if you haven't patched your IIS installation in the past ... oh, something like 2 years.

I get hit by that all the time too. It's really nothing to worry about, especially on a Linux box.

that's good to hear, thanks!

The saddest thing of all is that these worms are most likely coming from an infected machine, and the admin does not even know it, nor have they applied any patches over the last two years!

personally, I get it every day, the only problem I have with it is that it kinda makes a log hard to read when you have to read in between all the garbage it leaves in my access log.

Have you got a firewall running?? We routinley block all unused ports on all of our servers. IPTables is good for the job - check it out!

hth
--Robin

I got defaced last friday. It looks like they got in through php 4.3.4, so make sure you upgrade that to version 5, since its the newest, I guess that would be best.

Originally posted by MB[DK]
I got defaced last friday. It looks like they got in through php 4.3.4, so make sure you upgrade that to version 5, since its the newest, I guess that would be best. Personally, I'd recommend using the version your distro puts out (including security fixes), If your distro doesn't support php5, then you would be responsible to constantly kepe up to date on any bug fixes and what not. Otherwise, your distro's maintainers should backport them to the current version, or simply upgrade to a stabler one.

Originally posted by j79zlr
yes those are hacking attempts, nothing you can do about it. The first 2 only affect Windows machines anyways. I believe they are Code Red, Nimda related.

Ditto.

At the height of Code Red, one server in particular that I was looking after was getting close to 40 of those requests a minute. Interesting that there are still ppl who are still infected heh

Originally posted by MB[DK]
I got defaced last friday. It looks like they got in through php 4.3.4, so make sure you upgrade that to version 5, since its the newest, I guess that would be best.

You could use the latest php4 which is at v4.3.8, PHP5 although it seems to be fully stable, many php scripts may have to be rewrote to work with php5. I know phpBB is not php5 compatible, atleast not supported by their team, until v2.2.x comes out.