On Thu, May 01, 2003 at 06:17:03PM +0200, netops@tdcadsl.dk wrote:
Thanks for all the replies. This email contains snips of my log files. There is some interesting reading, particularly the messages log. It seems a samba string > overflow cause some problems from April 21 to 29 - scroll down to > see the logs. Does this mean that a hacker has gotten control of my box?
In a number of replies people talk about a cracker, eh, what is a cracker? And what is the different with a hacker?
"Cracker" is the correct term for what you're calling a "Hacker". For a full definition: http://www.catb.org/~esr/jargon/html/entry/cracker.html http://www.catb.org/~esr/jargon/html/entry/hacker.html
No data seems to be missing from the apache access log on April 21 6pm - but there seems to be some kind of hacking attempt at that time. Here is a snip of that log:
80.235.135.50 - - [21/Apr/2003:16:32:22 +0200] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 629 [snip]
Looks like lots of attempts from Nimda/CodeRed and/or variants. These worms also attempt to propagate via SMB, so they might be the cause of the samba log file as well. -- David Smith Work Email: Dave.Smith@st.com STMicroelectronics Home Email: David.Smith@ds-electronics.co.uk Bristol, England GPG Key: 0xF13192F2