Is someone trying to hack into my site? [Archive]

View Full Version : Is someone trying to hack into my site?

requestcode

04-14-2004, 04:02 PM

I think someone is trying to hack into my site, but don't know how to investigate it. What tools are there and actions if any can I take? Here is an abreviated example:

Host: 81.161.208.241 Url: /frames/demo/anchorpage.html Http Code : 200
Date: Apr 14 02:39:55 Http Version: HTTP/1.1" Size in Bytes: 598
Referer: http://www.requestcode.com/frames/demo/franchor.html Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)

Host: 69.73.3.128 Url: /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1 \x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1 \x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1 \x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02 \xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1 \x02\xb1

gsnedders

04-14-2004, 07:38 PM

Can you put some more examples up?

requestcode

04-14-2004, 08:02 PM

Ok that first example has the wrong info as far as the Host Ip and referrer info. Here is what it should look like:
x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\ x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\ x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\ x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\ x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" Http Code : 347
Date: Apr 14 09:38:25 Http Version: 414 Size in Bytes: "-"
Referer: - Agent:

With the host being: 69.73.4.80

Another:
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" Http Code : 347
Date: Apr 14 09:05:05 Http Version: 414 Size in Bytes: "-"
Referer: - Agent:
the host being: 69.47.99.65

gsnedders

04-14-2004, 09:36 PM

I've tracked those IPs to Verio (http://www.verio.com/)

fpuffett

04-16-2004, 06:22 PM

Hi
I have been getting the same stuff on my site for a while now.
Always from IP's beginning with 69.
For Example : 69.14.233.01
69.132.112.150
69.156.28.138
69.47.204.183
69.193.18.40
69.14.173.10
69.9.255.68
and so on.
Blocking 69. or 69.* or 69.*.*.* using Cpanel IPDeny does not make any differance, it keeps coming. :mad:
Any help or info would be appreciated.
Frank

firepages

04-16-2004, 07:50 PM

unless you are running an unpatched IIS don't worry about it, banning the IP is probably a waste of time (and only upsets real visitors) ... unless the same one crops up constantly in which case someone (other than a robot) is making a concerted attack.

requestcode

04-19-2004, 03:13 PM

Thank you error404 and firepages. I am still receiving them, but I guess there is not much I can do. I have reported them in hopes that they are at least monitoring it.