PDA

View Full Version : ???? LORD.asp ????



dwnz
25-03-2006, 04:41 PM
Hi,
I was just updating my website, and found a document called LORD.asp, and it seems to be under all my websites. What is this?

When i went to it, it said

LORD WAS HERE... Selamlarini sunar

And thats all the source code is as well...im worried now.

Anyone have any idea of how it could get there?

I host my server myself, and the only ports i have open are 80 and 25.

Thanks
Daniel

Graham L
25-03-2006, 04:46 PM
Perhaps the "Holy Ghost" came and you have had an immaculate conception.

Sceptics might take the attitude that you have been ....ed. :thumbs:

stu161204
25-03-2006, 04:48 PM
I think you better check your computer security as I think you have been hacked / defaced.

dwnz
25-03-2006, 04:50 PM
Just looking at the log files...im not sure what it means...Heres parts that contain stuff that i found on my server that was never there before (Freakin out now)

2006-03-24 11:23:54 192.168.1.100 GET /Demo/Images/zeh3.jpg.asp - 80 - 200.118.2.219 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.N ET+CLR+1.0.3705) 200 0 0
2006-03-24 11:23:57 192.168.1.100 GET /Demo/Images/zeh3.jpg.asp status=10&dPath=D:\Websites\Kustompage.com\index.asp&path=D:\Websites\Kustompage.com\&Time=23:23:51 80 - 200.118.2.219 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.N ET+CLR+1.0.3705) 200 0 0
2006-03-24 11:24:13 192.168.1.100 POST /Demo/Images/zeh3.jpg.asp Time=23:23:57 80 - 200.118.2.219 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.N ET+CLR+1.0.3705) 200 0 0
2006-03-24 11:24:18 192.168.1.100 GET /Demo/Images/zeh3.jpg.asp status=2&Time=23%3A24%3A13&Path=D%3A%5CWebsites%5CKustompage.com%5C&submit1=Git 80 - 200.118.2.219 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.N ET+CLR+1.0.3705) 200 0 0
2006-03-24 11:24:22 192.168.1.100 GET /Demo/Images/zeh3.jpg.asp status=14&path=D:\Websites\Kustompage.com\ 80 - 200.118.2.219 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.N ET+CLR+1.0.3705) 200 0 0
2006-03-24 11:24:30 192.168.1.100 POST /Demo/Images/zeh3.jpg.asp status=-4&Time=23:24:21&Path=D:\Websites\Kustompage.com\ 80 - 200.118.2.219 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.N ET+CLR+1.0.3705) 200 0 0
2006-03-24 11:24:34 192.168.1.100 GET /Demo/Images/zeh3.jpg.asp status=2&Time=23%3A24%3A16&Path=D%3A%5CWebsites%5C&submit1=Git 80 - 200.118.2.219 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.N ET+CLR+1.0.3705) 200 0 0
2006-03-24 11:24:39 192.168.1.100 GET /Demo/Images/zeh3.jpg.asp status=2&Path=D:\Websites\/WWSNZ.COM&Time=23:24:34 80 - 200.118.2.219 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.N ET+CLR+1.0.3705) 200 0 0
2006-03-24 11:24:44 192.168.1.100 GET /Demo/Images/zeh3.jpg.asp status=14&path=D:\Websites\/WWSNZ.COM 80 - 200.118.2.219 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.N ET+CLR+1.0.3705) 200 0 0
2006-03-24 11:24:48 192.168.1.100 POST /Demo/Images/zeh3.jpg.asp status=-4&Time=23:24:43&Path=D:\Websites\/WWSNZ.COM 80 - 200.118.2.219 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.N ET+CLR+1.0.3705) 200 0 0
2006-03-24 11:25:27 192.168.1.100 GET /Demo/Images/zeh3.jpg.asp status=1&path=D&Time=Fri%20Mar%2024%2013:05:02%202006 80 - 200.118.2.219 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.N ET+CLR+1.0.3705) 200 0 0
2006-03-24 11:25:31 192.168.1.100 GET /Demo/Images/zeh3.jpg.asp status=1&path=C&Time=Fri%20Mar%2024%2013:05:10%202006 80 - 200.118.2.219 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.N ET+CLR+1.0.3705) 200 0 0
2006-03-24 11:25:34 192.168.1.100 GET /Demo/Images/zeh3.jpg.asp status=2&Path=C://Program%20Files&Time=23:25:30 80 - 200.118.2.219 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.N ET+CLR+1.0.3705) 200 0 0
2006-03-24 11:25:39 192.168.1.100 GET /Demo/Images/zeh3.jpg.asp status=2&Path=C://Program%20Files/Exchsrvr&Time=23:25:33 80 - 200.118.2.219 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.N ET+CLR+1.0.3705) 200 0 0
2006-03-24 11:25:42 192.168.1.100 GET /Demo/Images/zeh3.jpg.asp status=2&Path=C://Program%20Files/Exchsrvr/exchweb&Time=23:25:38 80 - 200.118.2.219 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.N ET+CLR+1.0.3705) 200 0 0
2006-03-24 11:25:45 192.168.1.100 GET /Demo/Images/zeh3.jpg.asp status=2&Path=C://Program%20Files/Exchsrvr/exchweb/views&Time=23:25:42 80 - 200.118.2.219 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.N ET+CLR+1.0.3705) 200 0 0
2006-03-24 11:25:51 192.168.1.100 GET /Demo/Images/zeh3.jpg.asp status=2&Path=C://Inetpub&Time=23:25:30 80 - 200.118.2.219 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.N ET+CLR+1.0.3705) 200 0 0
2006-03-24 11:25:53 192.168.1.100 GET /Demo/Images/zeh3.jpg.asp status=2&Path=C://Inetpub/wwwroot&Time=23:25:51 80 - 200.118.2.219 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.N ET+CLR+1.0.3705) 200 0 0
2006-03-24 11:25:58 192.168.1.100 GET /index.asp - 80 - 200.118.2.219 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.N ET+CLR+1.0.3705) 200 0 0
2006-03-24 11:26:03 192.168.1.100 GET /LORD.asp - 80 - 200.118.2.219 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.N ET+CLR+1.0.3705) 200 0 0
2006-03-24 11:26:30 192.168.1.100 GET /lord.asp - 80 - 213.219.122.11 Wget/1.9.1 200 0 0


2006-03-24 11:30:01 192.168.1.100 GET /Demo/Images/zeh3.jpg.asp - 80 - 200.118.2.219 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.N ET+CLR+1.0.3705) 200 0 0
2006-03-24 11:30:05 192.168.1.100 GET /Demo/Images/zeh3.jpg.asp status=2&Path=D:\Websites\Kustompage.com\/demo&Time=23:30:00 80 - 200.118.2.219 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.N ET+CLR+1.0.3705) 200 0 0
2006-03-24 11:30:12 192.168.1.100 GET /Demo/Images/zeh3.jpg.asp status=2&Path=D:\Websites\Kustompage.com\/demo/contentman&Time=23:30:04 80 - 200.118.2.219 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.N ET+CLR+1.0.3705) 200 0 0
2006-03-24 11:30:28 192.168.1.100 GET /demo/contentman/index.asp - 80 - 200.118.2.219 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.N ET+CLR+1.0.3705) 200 0 0
2006-03-24 11:30:47 192.168.1.100 GET /demo/contentman/page_edit.asp Title=Page%202&FUNC=RTE 80 - 200.118.2.219 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.N ET+CLR+1.0.3705) 200 0 0
2006-03-24 11:30:49 192.168.1.100 GET /demo/contentman/RTE_javascript.asp textArea=content 80 - 200.118.2.219 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.N ET+CLR+1.0.3705) 200 0 0
2006-03-24 11:30:59 192.168.1.100 GET /LORD.asp - 80 - 202.122.243.167 libwww-perl/5.803 200 0 0


2006-03-24 11:53:06 192.168.1.100 GET /LORD.asp - 80 - 210.151.151.31 mozilla4.0 200 0 0
2006-03-24 12:01:23 192.168.1.100 OPTIONS / - 80 - 81.214.203.90 Microsoft+Data+Access+Internet+Publishing+Provider +Protocol+Discovery 200 0 0
2006-03-24 12:01:23 192.168.1.100 GET /_vti_inf.html - 80 - 81.214.203.90 Mozilla/2.0+(compatible;+MS+FrontPage+5.0) 404 0 2
2006-03-24 12:01:24 192.168.1.100 POST /_vti_bin/shtml.exe/_vti_rpc - 80 - 81.214.203.90 MSFrontPage/5.0 404 0 3
2006-03-24 12:01:24 192.168.1.100 GET /_vti_inf.html - 80 - 81.214.203.90 Mozilla/2.0+(compatible;+MS+FrontPage+5.0) 404 0 2
2006-03-24 12:01:26 192.168.1.100 POST /_vti_bin/shtml.exe/_vti_rpc - 80 - 81.214.203.90 MSFrontPage/5.0 404 0 3
2006-03-24 12:01:26 192.168.1.100 OPTIONS / - 80 - 81.214.203.90 Microsoft+Data+Access+Internet+Publishing+Provider +Protocol+Discovery 200 0 0

2006-03-24 12:14:17 192.168.1.100 GET /LORD.asp - 80 - 210.151.151.31 mozilla4.0 200 0 0

And theres some more....

dwnz
25-03-2006, 04:51 PM
I think you better check your computer security as I think you have been hacked / defaced.

I "think" they got through my demo page, as i forgot to delete the upload.asp file, which is included with the full version of my product. They uploaded pictures, rtf files, and asp files...not looking good.

Jen
25-03-2006, 06:24 PM
Close down your webserver and give your machine a thorough clean for viruses, trojans and any other malware.

Were you running the latest patches for your webserver software? Looks like they were trying for Frontpage vunerabilities. If you are going to expose your computer to the internet by running a webserver at home, then you must ensure you have the latest security patches and have configured your webserver correctly. If you are unable to do this, then you really should get someone else to host your website.

dwnz
25-03-2006, 06:41 PM
Hi,
I have just done all that, it didnt find anything.

Windows was updated to the very latest it can go, i did it at about 8pm last night, before the attack started.

Im not going to take any risks here, and i am going to format it, and start again , and check that nothing can destory any of my stuff this time.

Its amazing though. I have been running a server for about 3 years now, and have never had a problem, or made a stupid mistake like i did.

One thing i noticed, some of the files were using cross-site perl scripting...

Daniel