• Post Reply Bookmark Topic Watch Topic
  • New Topic

Am I Under Attack?

 
Stan James
(instanceof Sidekick)
Ranch Hand
Posts: 8791
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Here are some log entries from my Wiki, all from one IP address which I hid ... is somebody trying to break in? Or just running some kind of tool against my site? They seem to think I'm an IIS server.
 
Joe Ess
Bartender
Posts: 9361
11
Linux Mac OS X Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Probably. There's a Frontpage extension exploit that tries to post something harmful to shtml.exe. If you aren't using the extensions, there's no problem aside from the possible DOS. Do a reverse DNS and inform the IP's web master or their ISP. The machine is probably compromised itself. When Code Red was rampant, I had the distinct pleasure of contacting a local web security consultant to inform him that his domain was a zombie. Good times!
 
Maki Jav
Ranch Hand
Posts: 447
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I was once connected to internet through dialup and and also running a java based server type program which received request at port 80 and display client socket info. My OS is win 98. I was surprised to find that a guy connected my server. The guy was from hongkong. I disconnected as soon as possible. What he was trying to do?

Maki Jav
 
Joe Ess
Bartender
Posts: 9361
11
Linux Mac OS X Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It probably wasn't even a "guy". Most of these attacks are performed by scripts run on previously compromised computers. The scripts run brute force attacks against any port it can find. If you aren't running a service that can be compromised, as Stan is not running Frontpage extensions on his web server, the script can't do anything (well, other than flood you with requests). In your case it is unlikely that your Java server could have been compromised. Hacking requires intimate knowledge of the inner workings of a server to exploit bugs in the program. A simple socket receive and print out probably (giving you the benefit of the doubt) doesn't have any holes. Other services on your windows machine, like disk and print sharing, can be remotely compromised. Lessons: Turn off unneeded services and run a firewall. They can't hack what an't running and what they can't see.
 
Stan James
(instanceof Sidekick)
Ranch Hand
Posts: 8791
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm practicing security through obscurity - since I wrote this server from scratch I doubt most usual exploits will have any effect. But I put the source on the site, so somebody who wants to take the time could try to write something, I guess. There is an IIS server on the same box, though. I wonder if they got through to it!
 
Maki Jav
Ranch Hand
Posts: 447
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

thank God I was not running any such application that can be compromised and yes my server was just a raw one that I was using to test my connecting to my own system through dialup. No problems have been detected so far after that incidence.

Thanks

Maki Jav
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!