These are mostly just pests if you're on Apache. The first batch (cmd.exe) is from a NIMDA-infected MS server. The others are probably from badly-coded bots. If the requests for "bindings.xml" were actually for existing files, you might want to block that IP address... Or block them all if it means getting a good night's sleep.

I'd rather have an honest harvesting attempt than these "pest requests" -- The harvesters recognize a 403 when they choke on one, but many of these pests are very dumb and just keep coming back. For the really persistent ones, I rewrite the URL to a totally-blank file (0 bytes) to minimize the bandwidth they waste.

Nothing here looks "scary" to me, except the bindings.xml requests, and that's because I don't know what they are and if they are worth stealing.

For the most part, you can either ignore these, or serve them a tasty 403 response.

Jim

/boat-grytuh_files/bindings.xml

No, I don't have that file. The file I have is /boat-grytuh.htm. I don't have anything on any of those pages except content and Adsense. I don't use any xml, if that matters.

seems that you saved the boat-grytuh.htm from a webpage with Internet Explorer, or you saved the file with MS Office, these programs uses the boat-grytuh-files folder, and i suppose there's a reference on your html to this bindings.xml file. but if someone visits your html page, the browser (i guess not all) looks for some files in that folder.

if this html pages displays correctly then don't care about it (or remove the references from tha file), or if the page does not displayed well in your browser upload the folder with all the files in it.

Not really anything to worry about here ..if its testing at all then its going to depend on what kind of config you've got and how the shells are blocked out ...and of course you are as secure as you can be ..aren't you .. : )

seems that you saved the boat-grytuh.htm from a webpage with Internet Explorer, or you saved the file with MS Office,

No, it's all original and hand typed into Dreamweaver.

if its testing at all then its going to depend on what kind of config you've got and how the shells are blocked out ...and of course you are as secure as you can be ..aren't you .. : )

I have no idea how it's set up, and no I'm probably not secure. My FormMail is still called FormMail, for instance.

Okay, how about this from my logs.
On sunday night
I had a visitor with this as the referrer.
[wgn.net...]
It then visited my contact page (Where the form is) with the referrer as my robots.txt file. So that tells me it checks for robots.txt and then looks for forms I guess. It was Zeus 73457 Webster Pro.
I haven't received a form referral since, and they have been busy days. I am worried, but don't know if I'm just being paranoid or what.

powdork,

You're seeing the same exploits that many here have seen. I suggest that you "take control," and I recommend the following threads for your review:
A Close to perfect .htaccess ban list - Part 3 [webmasterworld.com] (See links back to Parts 1 & 2 as well)
Modified "bad-bot" script blocks site downloads [webmasterworld.com]
Blocking badly behaved runaway WebCrawlers [webmasterworld.com]

Jim

Ok ..I'm a little short on time here and I'll sticky you when I find the reading matter that you need ...

First ...Do you run a guest book or anything else that lets visitors "write" into your server other than your form mail ..if yes switch it off ..NOW ..( its a "hack door" ) ...

Form mail isn't so good either but apparently you need it? ..

Before you switch off you guest book ...root around in there in tha part that lets you set up the "skins"...there's usually something which will tell you all about your apache config ..type , permissions, handling etc etc ....this part tells anyone who wants to hit your server how to do it ...

The intrusions you have seen to date ( especially the one you posted ) are basically asking for things that may or may not be available on your config ...Apache ..being dumb if it isn't set up "hardened" ..has a horrible tendency to say things like " nope ...no passwords here ..but I actually keep them there ...and look this is them "...NO REALLY!

If you know what to ask it
..via the "write in" areas ...

you can "hack " most installations of apache with IE 4 and upwards ....and a few " how hard are your shell " questions to CGI..

sorry but apache works like that ...

In it's standard versions of installation ....

BSD is better for sleeping soundly at nights ....

This said ...as soon as I find the articles you should see I 'll sticky them to you today ...

Oh yeah and if you run "mail exchanger" or "squirrel" ..switch em off too ..theyr'e all "hackdoors"....

Thanks Leosghost,
I also starterd a thread about renaming formmail that may or may not be related.
[webmasterworld.com...]

Sorry it took me so long ...Jeez...... its untidy in my machine can't find a damn thing and then I lost this thread ...
Ok ..this isn't the "definative" but it's well worth reading all the links out from these places ...for anyone who thinks they are secure or who would like to know what "suspicious" entries in logs might be about ...I presume also that bakedjake might have a take on this as from his posts he may have been "curious" ( he... he ) at some point in the past ..
...
[securereality.com.au...]
[securityfocus.com...]
[securityfocus.com...]
[securereality.com.au...]
[google.it...]
( don't know if I got the formatting right to link them ....if screw up maybe jdmorgan can edit it to work for me? )..and I know that someone ..ithink it was "isitreal" or maybe "stefan" or whoever told me how ..but I lost the page .. : ))
There is a lot more stuff which may be relevant to some of you at [blackhat.com...]
you can also "google" for this "Secure Reality Pty Ltd. Security Advisory #1 (SRADV00001)".....leave on the quotes ....and here "Secure Reality Pty Ltd. Security Advisory #10 (SRADV00010)" for those of you using "squirrel mail"

Again ...sorry it took so long for me to find the references ..( BTW to other fora users to whom I owe a sticky mail ...I'll try to get on top of it this weekend ...work permitting )...

Thanks for posting that Leosghost,

Some of the articles no longer exist. I'm not certain where the php comes into play and most of that is above me. The form is in perl in my case. I do have a phpbb2 forum on the site, if that matters.

Here are last night's attempted exploits. Is this an example of the Holland Tunneling Engine at work?

195.**.69.26 - - [16/May/2004:06:29:28 -0400] "POST /cgi-bin/FormMail.pl HTTP/1.0" 404 213 "http://site.com/" "-"

216.***.126.182 - - [16/May/2004:06:29:36 -0400] "POST /mail.cgi HTTP/1.0" 404 202 "http://site.com/" "-"

24.***.155.7 - - [16/May/2004:06:29:37 -0400] "POST /cgi-bin/fmail.pl HTTP/1.0" 404 210 "http://site.com/" "-"

194.***.223.57 - - [16/May/2004:06:29:38 -0400] "POST /cgi-bin/form.cgi HTTP/1.1" 404 222 "http://site.com/" "-"

66.***.166.68 - - [16/May/2004:06:29:38 -0400] "POST /cgi-bin/contact.pl HTTP/1.0" 404 212 "http://site.com/" "-"

213.***.213.160 - - [16/May/2004:06:29:39 -0400] "POST /cgi/formmail HTTP/1.1" 404 218 "http://site.com/" "-"

208.**.229.3 - - [16/May/2004:06:29:39 -0400] "POST /cgi-bin/mail.cgi HTTP/1.0" 404 210 "http://site.com/" "-"

81.**.96.121 - - [16/May/2004:06:29:41 -0400] "POST /formmail.pl HTTP/1.0" 404 205 "http://site.com/" "-"

[edited by: jdMorgan at 8:28 pm (utc) on May 16, 2004]
[edit reason] Obscured specific IP addresses [/edit]