[oETTi]
01.11.03, 23:57
Hallo zusammen,
beim auswerten meines access_log's habe ich folgende einträge gefunden.
leider ist mir nicht ganz klar was hier geschehen ist.
vielleicht kann mir von euch jemand erklären was das zu bedeuten hat, und wie ich mich dagegen schützen kann (falls notwendig)
209.187.115.110 - - [01/Nov/2003:20:29:28 +0100] "CONNECT 209.187.115.69:80 HTTP/1.0" 200 17295
62.26.127.130 - - [01/Nov/2003:22:39:28 +0100] "GET http://webeye.euirc.net:80/proxytest.php HTTP/1.0" 404 281
65.215.16.246 - - [02/Nov/2003:01:06:10 +0100] "CONNECT 1.3.3.7:1337 HTTP/1.0" 200 12387
edit:
[root@MARAUDER logs]# nmap -sS -O -P0 209.187.115.69
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on bg.kusav.be (209.187.115.69):
(The 1595 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
23/tcp open telnet
80/tcp open http
111/tcp filtered sunrpc
2049/tcp filtered nfs
3306/tcp filtered mysql
Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20
Uptime 17.056 days (since Thu Oct 16 01:09:01 2003)
Nmap run completed -- 1 IP address (1 host up) scanned in 51 seconds
[root@MARAUDER logs]# nmap -sS -O -P0 65.215.16.246
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on (65.215.16.246):
(The 1589 ports scanned but not shown below are in state: closed)
Port State Service
53/tcp open domain
80/tcp open http
135/tcp open loc-srv
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1030/tcp open iad1
3372/tcp open msdtc
4444/tcp open krb524
5800/tcp open vnc-http
5900/tcp open vnc
Remote operating system guess: Windows Millennium Edition (Me), Win 2000, or WinXP
Nmap run completed -- 1 IP address (1 host up) scanned in 21 seconds
vielleicht hilft das ja weiter.
scheint ja wohl ein script kiddie gewesen zu sein :mad:
danke.
[oETTi]
beim auswerten meines access_log's habe ich folgende einträge gefunden.
leider ist mir nicht ganz klar was hier geschehen ist.
vielleicht kann mir von euch jemand erklären was das zu bedeuten hat, und wie ich mich dagegen schützen kann (falls notwendig)
209.187.115.110 - - [01/Nov/2003:20:29:28 +0100] "CONNECT 209.187.115.69:80 HTTP/1.0" 200 17295
62.26.127.130 - - [01/Nov/2003:22:39:28 +0100] "GET http://webeye.euirc.net:80/proxytest.php HTTP/1.0" 404 281
65.215.16.246 - - [02/Nov/2003:01:06:10 +0100] "CONNECT 1.3.3.7:1337 HTTP/1.0" 200 12387
edit:
[root@MARAUDER logs]# nmap -sS -O -P0 209.187.115.69
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on bg.kusav.be (209.187.115.69):
(The 1595 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
23/tcp open telnet
80/tcp open http
111/tcp filtered sunrpc
2049/tcp filtered nfs
3306/tcp filtered mysql
Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20
Uptime 17.056 days (since Thu Oct 16 01:09:01 2003)
Nmap run completed -- 1 IP address (1 host up) scanned in 51 seconds
[root@MARAUDER logs]# nmap -sS -O -P0 65.215.16.246
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on (65.215.16.246):
(The 1589 ports scanned but not shown below are in state: closed)
Port State Service
53/tcp open domain
80/tcp open http
135/tcp open loc-srv
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1030/tcp open iad1
3372/tcp open msdtc
4444/tcp open krb524
5800/tcp open vnc-http
5900/tcp open vnc
Remote operating system guess: Windows Millennium Edition (Me), Win 2000, or WinXP
Nmap run completed -- 1 IP address (1 host up) scanned in 21 seconds
vielleicht hilft das ja weiter.
scheint ja wohl ein script kiddie gewesen zu sein :mad:
danke.
[oETTi]