Is someone breaking into my computer?

vaterlo

This is more Apache question. But anyway I have installed apache/php on my local computer (win xp). All works all right, but then yesterday i looked through access.log and noticed some lines with different ips than my localhost (127.0.0.1), And it looked like they where accessing weird things like:

80.81.122.9 - - [14/Jul/2003:15:41:06 +0300] "CONNECT 1.3.3.7:1337 HTTP/1.0" 405 305
81.91.33.138 - - [09/Jun/2003:16:41:58 +0300] "GET http://argon.oxeo.com/test.txt HTTP/1.1" 404 288
209.45.73.67 - - [18/Jun/2003:18:43:32 +0300] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 -
194.206.148.45 - - [09/Jul/2003:14:35:55 +0300] "GET /.hash=c16a73fae8b31b716f78b3c9d7736eb9129811c6 HTTP/1.1" 404 326
80.133.126.30 - - [11/Jul/2003:21:51:22 +0300] "OPTIONS * HTTP/1.0" 200 -
212.122.182.121 - - [11/Jul/2003:21:07:08 +0300] "GET http://free.evro.net/ HTTP/1.1" 200 636

Since i dont host my computer as public server i wanted to know does it smell like hax0r?!

ahundiak

Yep. You basically have a unprotected computer connect directly to the internet. Unless you have really kept up in security patches then it's probably already been taken over.

Boris_Senker

Have you tried setting up Allow, Deny in httpd.conf? I bet you have it set up as Allow from All?

Mordecai

With Apache, those requests are useless. I had the same thing, it's basically what Code Red did. If you were using IIS, your computer would be in the hands of some script kiddie by now.

You're obviously connected to the internet somehow--whether it be through tunneling or a direct connection, I know not. I'd say you need to examine your network connection settings a bit more thoroughly.

Boris_Senker

Mordechai is right, the settings that need to be set up are:

Administrative Tools/Local Security Policy.

I had to reinstall two pcs and lost some files due to this. The problem is... DID SOMEONE PUBLISH SOME SECURITY FLAW OVER THE INTERNET? Quite a few people reported the same problem!

Boris_Senker

THIS IS THE TRACE TO THAT ARGON.OXEO link you put from Croatia where I live:

Network id#: 2
Telecom Italia - International Division
Network id#: 3
London Internet Exchange
2nd Floor
92-94 Tooley Street
London SE1 2TH
ENGLAND
Network id#: 4
Williams Communications, Incorporated WCG-BLK-1 (NET-64-200-0-0-1)
64.200.0.0 - 64.200.255.255
Williams Communication IP Services WLCO-NYCMNY2INTERN-30 (NET-64-200-86-0-1)
64.200.86.0 - 64.200.87.255
Network id#: 5
Williams Communications, Incorporated WCG-BLK-1 (NET-64-200-0-0-1)
64.200.0.0 - 64.200.255.255
Williams Communication IP Services WLCO-NYCMNY2INTERN-30 (NET-64-200-86-0-1)
64.200.86.0 - 64.200.87.255
Network id#: 6
Williams Communications, Incorporated WCG-BLK-1 (NET-64-200-0-0-1)
64.200.0.0 - 64.200.255.255
Williams Communication IP Services WLCO-NYCMNY2INTERN-30 (NET-64-200-86-0-1)
64.200.86.0 - 64.200.87.255
Network id#: 7
OrgName: Williams Communications, Incorporated
OrgID: WLCO
Address: One Williams Center
City: Tulsa
StateProv: OK
PostalCode: 74172
Country: US
Network id#: 8
OrgName: ISPrime, Inc.
OrgID: IPRM
Address: 25 Broadway
Address: 6th Floor
City: New York
StateProv: NY
PostalCode: 10004-1086
Country: US
Network id#: 9
ISPrime, Inc. ISPRIME (NET-66-230-128-0-1)
66.230.128.0 - 66.230.175.255
oXeo Networks OXEO-66-230-140-64 (NET-66-230-140-64-1)
66.230.140.64 - 66.230.140.95
NeoTrace Trace Version 3.25 Results
Target: argon.oxeo.com
Date: 25.7.2003 (Friday), 1:44:54
Nodes: 15

6 2 1 195.22.192.105 Milano mil8-hpt-3-hr.seabone.net
7 2 1 195.22.209.105 Unknown linx-lon1-racc2.lon.seabone.net
8 3 2 195.66.224.105 Unknown lndnuk1icx1.wcg.net
9 4 2 64.200.87.149 Unknown nycmny2wcx2-oc12.wcg.net
10 5 2 64.200.87.230 Unknown nycmny2wcx3-pos10-0.wcg.net
11 6 2 64.200.87.110 Unknown nycmnyhlce1-oc48.wcg.net
12 7 2 64.200.229.190 Unknown nycmnyhlce1-gige5-1.wcg.net
13 8 3 66.230.129.134 Unknown 3-2.gige.nyc25b.oxeo.com
14 8 3 66.230.128.198 Unknown 3-1.gige.nyc25b.oxeo.com
15 9 3 66.230.140.66 Unknown argon.oxeo.com

Packet Data
Node High Low Avg Tot Lost
1 0 0 0 1 0
2 ---- ---- ---- 2 2
3 134 134 134 1 0
4 134 134 134 1 0
5 121 121 121 1 0
6 150 150 150 1 0
7 191 191 191 1 0
8 390 390 390 1 0
9 492 492 492 1 0
10 460 460 460 1 0
11 277 277 277 1 0
12 257 257 257 1 0
13 324 324 324 1 0
14 245 245 245 1 0
15 263 263 263 1 0

Network Data
Network id#: 1
MY FIRST NODE

Network id#: 2
Telecom Italia - International Division
Via di Macchia Palocco 223
00125 Roma
Italy

Network id#: 3
London Internet Exchange
2nd Floor
92-94 Tooley Street
London SE1 2TH
ENGLAND

Network id#: 4
Williams Communications, Incorporated WCG-BLK-1 (NET-64-200-0-0-1)
64.200.0.0 - 64.200.255.255
Williams Communication IP Services WLCO-NYCMNY2INTERN-30 (NET-64-200-86-0-1)
64.200.86.0 - 64.200.87.255

Network id#: 5
Williams Communications, Incorporated WCG-BLK-1 (NET-64-200-0-0-1)
64.200.0.0 - 64.200.255.255
Williams Communication IP Services WLCO-NYCMNY2INTERN-30 (NET-64-200-86-0-1)
64.200.86.0 - 64.200.87.255

Network id#: 6
Williams Communications, Incorporated WCG-BLK-1 (NET-64-200-0-0-1)
64.200.0.0 - 64.200.255.255
Williams Communication IP Services WLCO-NYCMNY2INTERN-30 (NET-64-200-86-0-1)
64.200.86.0 - 64.200.87.255

Network id#: 7

OrgName: Williams Communications, Incorporated
OrgID: WLCO
Address: One Williams Center
City: Tulsa
StateProv: OK
PostalCode: 74172
Country: US

Network id#: 8

OrgName: ISPrime, Inc.
OrgID: IPRM
Address: 25 Broadway
Address: 6th Floor
City: New York
StateProv: NY
PostalCode: 10004-1086
Country: US

Network id#: 9
ISPrime, Inc. ISPRIME (NET-66-230-128-0-1)
66.230.128.0 - 66.230.175.255
oXeo Networks OXEO-66-230-140-64 (NET-66-230-140-64-1)
66.230.140.64 - 66.230.140.95

I was receiving such stuff from virtually every ISP in the world, more than 200 port access attempts per hour to every port imaginable: Carribean, Netherlands, China, Japan, Korea, USA, UK, you name it. No usable IPs however, all of them ended at something like above. Usually between 8 and 15 nodes.

Then I couldn't upload anything larger than the first packet (ex. mails with attachments, ftp uploads). Only no attachment mails went through, my connection was dropping every few mins.

Then I have found some strange files in my windows and windows/system dirs. All named with caps letter sand named like SPYDER.SOMETHING etc. Then I've lost all Favorites and Outlook data and started losing system files.

It went by ZoneAlarm, system security I've setup using LANGuard and I had only 5 OPEN PORTS! I saw a zillion alert logs (ZoneAlarms daily logs for 1-2 hours of internet access were between 50 and 128 kb!!! No trace just alerts, and to this day I don't know how it got in and what exactly to do to stop it. Only guess.

Where were those hackers trained? In Microsoft itself? Hate to say but THEY ARE DAMN GOOD. No way those were beginner kid hacker-wannabees. These guys are HARD TRAINED PROS.

A few of the people I know reported the same problem, ALL of them used XP and Apache and ALL were either in programming or web design.

touchingvirus

/scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir"

An IIS script flaw, not so bad if you used IIS and had all the patches. But if u didnt, well then, script kiddies unite. Just to be safe, check your computer for servudaemon.ini and nc.exe..the hackers swiss army knife 🙂

Seal up your apache too..

And Boris, 1 open port is enough to gain entry to a computer, you dont need 5, and many times it is the server admins own fault, for forgetting to change default passwords like in SQL they forget to change root/[blank] to something of their own choice..or sa/[blank]

If server admins cant have the sense to change passwords, then they "deserve" used in very light terms to be hacked for stupidity 😃, im not saying that you did any of the above, because i dont know, but it is something to bear in mind.

Russell2000

I found this site while researching Williams Communications. This company was said to be hosting an Al Qaeda website. Check this out!

http://www.sqlspace.com/viewtopic.php?t=3594

[url]ftp://69.44.154.225/upload_here/[/url]

Is this related to your problem?

Boris_Senker

LOL now this is shocking :eek: 😕

Russell2000

Boris. why is that funny? What is Williams Communications Inc.? ISP provider?

Boris_Senker

You got me wrong - it IS shocking, I have read the whole thread etc.

Russell2000

Ok. I'm trying to figure out if this is really from a terrorist website or if it is some sort of hoax. Do you have an opinion about that?
I did a search for Williams Communications Inc. and this thread was at the top of the search list. I thought it was interesting that the topic was "Is Someone Breaking into My Computer" If it is for real, can you help track the perps?