Strange request in the logs

Forum Moderators: DixonJones

Message Too Old, No Replies

Strange request in the logs

Am I being probed by hackers?

awcabot

1:04 pm on Mar 19, 2003 (gmt 0)

I get the following line in my access logs, which I find kind of weird:

216.68.31.206 - - [16/Mar/2003:10:20:18 -0600] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 1592 "-" "-"

I do not have a scripts directory nor a root.exe file, so I suppose someone is trying to access these directly. What the heck are they looking for? Should I be concerned?

Alternative Future

1:15 pm on Mar 19, 2003 (gmt 0)

Hi,

The IP belongs to fuse.net, which offers free Internet solutions.

Don't know it this helps you any, but if I was a hacker (white or black hat) I think I would hide (proxy) my attacking IP address ;)

-gs

[added]Allthough by using a proxy it doesn't really hide your IP at all because the administrator of the proxy can still read your requesting IP, just encase anyone thought this was a suitable way forward ;-)[/added]

And as ppg suggests it could be a Code Red II or sadmind/IIS more info here: cert.org/advisories/CA-2001-26.html

[edited by: Alternative_Future at 1:26 pm (utc) on Mar. 19, 2003]

ppg

1:17 pm on Mar 19, 2003 (gmt 0)

I believe thats Nimda or code red, one of hte two. Those requests have been flying about for ever now.

It only matters if you're running a Windows server and its not patched and up to date.