"Min,Lee" <abraxsus@nownuri.net> wrote in
news:bdgkk1$p1o$1@news.hananet.net:

> I think my server box is hacked !!
> help me!..
> These are my log files...
>

I agree - they seem to have root access if they were able to try mailing
all that info.

[snipp]
> Also I found somethings strange in the /var/log/httpd/accesslog
>
>
> 218.236.111.207 - - [27/Jun/2003:03:32:20 +0900] "GET
> /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXX
> XXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXX
> XXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXX
> XXXXX
> XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd 3%u7801%u9090%u6858%u
> cbd3%
> u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u5 3ff%u0078%u0000%u00=a
> HTTP/1.0" 404 283 "-" "-"
>
> Here This is strange. "GET /deafault.ida" looks likes hacking, doesn't
> it??
>

This is Windows-only exploit, against IIS - don't worry about that one.

> What should I do?? where can I learn more about securities??

You should really try to read up some on security, yes.
Reading from the email, it seems you were running quite a few servers,
RPC and SMB for example - maybe you should take the time to re-install
your server (do not backup any binaries/programs) and start reading some
security books?

You didn't really write what distribution you were using, but if you
start at www.linuxsecurity.org and go from there, you will find some good
security guides to follow the next time.

http://www.redhat.com/solutions/security/ could be a good starting point
as well.

And, of course, searching google groups could prove quite helpful.

Khay.