[thelist] domain under attack??

Peter lists at szaroconsulting.com
Thu Dec 20 07:52:14 CST 2001


Not much you can do about it because you are running apache. What you can do
is prevent it from filling up your logs. Place the following in your
.htaccess file:

redirect /scripts http://www.stoptheviruscold.invalid
redirect /MSADC http://www.stoptheviruscold.invalid
redirect /c http://www.stoptheviruscold.invalid
redirect /d http://www.stoptheviruscold.invalid
redirect /_mem_bin http://stoptheviruscold.invalid
redirect /msadc http://stoptheviruscold.invalid
RedirectMatch (.*)\cmd.exe$ http://stoptheviruscold.invalid$1

~~~~~~~~~~~
Peter

-----Original Message-----
From: thelist-admin at lists.evolt.org
[mailto:thelist-admin at lists.evolt.org]On Behalf Of Fortune Elkins
Sent: Tuesday, December 18, 2001 9:08 AM
To: thelist at lists.evolt.org
Subject: [thelist] domain under attack??


hiya!

one of the little domains for which i'm the webmaster appears to be under
attack. i'm not sure what to do.

the host is all apache. when i look at the list of documents not found in my
server log reports, i see a huge list of files the hackers are after, which
luckily don't exist, becuase it's not a windows server and i don't use front
page:

 /scripts/..%5c../winnt/system32/cmd.exe [Referrers]  993
 /scripts/root.exe [Referrers]  981
 /MSADC/root.exe [Referrers]  972
 /c/winnt/system32/cmd.exe [Referrers]  966
 /d/winnt/system32/cmd.exe [Referrers]  959
 /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe [Referrers]  954
 /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe [Referrers]  952
 /msadc/..%5c../..%5c../..%5c/..Á ../..Á ../..Á ../winnt/system32/cmd.exe
[Referrers]  951
 /scripts/..Á ../winnt/system32/cmd.exe [Referrers]  948

the numbers after the names are the times they have tried to access the
files. from looking at my logs, it seems right now that about 50% of the
site's accesses are these kind of probes.

what should i do, if anything, besides contact my hosting service?

any hints, tips, and advice, deeply appreciated!

tia,

f

----------------------------------------------------------------------------
--------------------
The views and opinions expressed in this email message are the sender's
own, and do not necessarily represent the views and opinions of Summit
Systems Inc.


--
For unsubscribe and other options, including
the Tip Harvester and archive of TheList go to:
http://lists.evolt.org Workers of the Web, evolt !





More information about the thelist mailing list