hacked mysql?

Hello all,

I have just had my mysql database 'hacked': actually it was rolled back about 3 weeks or so.

I know very little about security, and to be honest hope that my webhost maintains proper security. I run a VERY small site (like 100 unique visitors a month at best).

At any rate, this has me puzzled, and since I seen to be getting limited support from my host on this, maybe someone here can help me out.

From what I can tell, no files have been modified, deleted or added to my directories.
My host uses linux (redhat I believe), apache, any mysql (with phpmyadmin).

Like I said above, I don't kmow much about security, but I did think I should look through the weblogs, and in the 404 file not found sections, I came across the following:


617 0 143144 | /scripts/..%5c../winnt/system32/cmd.exe
425 372 87125 | /default.ida
398 361 83580 | /scripts/root.exe
377 1 78416 | /MSADC/root.exe
363 0 79134 | /c/winnt/system32/cmd.exe
349 0 76082 | /d/winnt/system32/cmd.exe
327 0 81423 | /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
323 1 80427 | /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
316 0 83740 | /msadc/..%5c../..%5c../..%5c/..^^\../..^^\../..^^\../winnt/system32/cmd.exe
308 0 71148 | /scripts/..^^\../winnt/system32/cmd.exe
300 1 69300 | /scripts/..^/../winnt/system32/cmd.exe
300 1 69300 | /scripts/..^^ï../winnt/system32/cmd.exe
291 0 67221 | /scripts/..^^Ü../winnt/system32/cmd.exe
278 0 64496 | /scripts/..%2f../winnt/system32/cmd.exe


(hmm I hope that pasted well ;-)

At any rate that looks really strange to me as it seems like someone is attempting to access WindowsNT core files directly...which don't exist on a linux box ;-)

Anyhow, this seemed odd to me, and seems to have been going on for a few months now (acording to the logs).

Any input on this would be appreciated...

thanks ;-)

Eric

 

 

 

 

Top