Emergency... Network help please ...

[buc99]

I turned off the firewall on my mac to update some data with quicken since quicken was using a port that I did not know that was being blocked by my firewall. (By the way does anyone know what port quicken uses for online banking?) Stupid me I forgot to turn the firewall app back on. I noticed a lot of activity on my cable modem and I was not using my computer. So I checked the access_log with "tail /var/log/http/access_log" and found the following:

xxx.xxx.xxx.xxx - - [07/Oct/2002:21:41:49 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 352
xxx.xxx.xxx.xxx - - [07/Oct/2002:21:41:52 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 318
xxx.xxx.xxx.xxx - - [07/Oct/2002:21:41:55 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 318
xxx.xxx.xxx.xxx - - [07/Oct/2002:21:42:01 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 318
xxx.xxx.xxx.xxx - - [07/Oct/2002:21:42:04 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 318
xxx.xxx.xxx.xxx - - [07/Oct/2002:21:42:06 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 302
xxx.xxx.xxx.xxx - - [07/Oct/2002:21:42:09 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 302
xxx.xxx.xxx.xxx - - [07/Oct/2002:21:42:12 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 319
xxx.xxx.xxx.xxx - - [07/Oct/2002:21:42:15 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 319
199.173.12.4 - - [07/Oct/2002:22:00:21 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u68 58%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u00 78%u0000%u00=a HTTP/1.0" 400 339

The xxx.xxx.xxx.xxx of course is my IP address that I x'd out. What is all of this winnt stuff? Am I infected? Has someone hacked me? If so who and how do I get them in return?

Do I need to wipe my computer and re-install?

Yes I know this was a boneheaded mistake, but I sometimes neglect this computer.

Thanks in Advance.
SA

[alexrd]

I wouldn't worry too much. the first bunch of lines seem to be script kiddies probing for IIS vulnerabilities (of courese. since you're not running winblows, you don't have any). The last line is a CodeRed variant trying to spread (also something you don't have to worry about).

So chances are you're OK. But of course it's the infiltration that you _don't_ see that you should be worried about

At any rate, turn on your IP filter (firewall) and you should be fine.

As to Quicken and online banking: It doesn't use port 80? Actually, come to think of it, it's more likely to be port 443 (the https port). It seems strange that Quicken would need to actually listen on a port, as opposed to opening a connection itself... oh well. If it's not one of those two ports, I'm stumped.

Hope this helps.

-alex.

[buc99]

I did a virus scan with Norton and nothing came up. Would it not find code red? And how do I get rid of code red?

I use this machine as backup. There should not be any info of importance in it. (my boring life) Would it be wise to go ahead and wipe this machine and re-install then? This way I can keep a clean system?

Also where can I look to see what they have been up to on my system?

How can I find who is at 199.173.12.4 and report them?

Thanks in Advance.
SA

[davidbrit2]

Don't worry; you don't have CodeRed. It's only capable of breaking into unpatched Windows NT based servers.

As for reporting the IP it came from, there probably wouldn't be much of a point. CodeRed runs by itself and spreads automatically, so the chances of someone at that computer actively trying to get into your system are slim to none.

[roger]

I would re-iterate what davidbrit2 says. The logs indicate that your system was being probed, intially for microsoft web server failings (you don't have that) and then the code red trying to get onto your system, and failing, because you have a Mac.

Nothing has got onto your system according to those logs, so just put up the IP filtering and don't worry.

R.

[buc99]

Thanks Everyone.

I feel really stupid for leaving my Mac that vulnerable.

I put up the firewall, but I notice that these "script kiddies" are still probing port 80 on my machine as well as "code red". Is this going to be continuing forever, or do I need to shutdown port 80 and serv off another priv port? I also checked the IP in front of the "code red" probe and it gave me the website for the NJ Plainfield school board. They were wide open and probably infected so I contacted their admin.

Is there anyway to track down these "script kiddies" to report them? Just curious. I think it would be cool to fight back.

Thanks.
SA

[BSDimwit]

The script kiddies aren't probing your machine... other already compromised IIS windows servers are. This is how the virus spreads. Microsoft stuff is vastly less secure, hence everyone's efforts in trying to break into them. You are running a BSD system, which by its very nature is way more secure, on top of that, you seem to have your firewall up too(most of the time) so fear not... simply keep doing what you are doing and you should be fine. Keep up with your security updates and I doubt you will have many problems. Sure some unix-like boxes get rooted, but they are way more rare and as fate would have your box ain't Linux so that will discourage most of the real script kiddies out there. Be glad Apple went with BSD!!!