Anyone with an open port 80 on a static IP is likely to see loads of this crap. Yep, they're looking for an exploitable 'doze box. I usually just ignore it... you can run host or dig on the IP if you're curious as to the origination; you could even feed the GET into your webserver to see exactly what error they got; but I have yet to see any cool creative soluions for this. It strikes me as a waste of resources to firewall the IP, since it is a silly request, but I think it would be interesting to hack up a tarpit for them -- like giving them something that looks like a command shell, to entice them -- in that case, one would also want to modify the system signature that they might get from nmap, etc... anyone else got some good notions on this? Of note is that you might see multiple requests from the same IP, or from another in the same block. This tells you something about the nature of the attacker, but not a whole lot. Most I've seen come from overseas or dialups... g'nitey!
Ben On Thu, 20 Nov 2003 23:23:27 -0500 Linux Rocks ! <[EMAIL PROTECTED]> wrote: | so... ive noticed this before in my webserver logs... | 68.50.124.251 - - [20/Nov/2003:23:07:12 -0500] "GET | /scripts/..%%35c../winnt/ system32/cmd.exe?/c+dir HTTP/1.0" 400 292 | | so... looks like someone it scanning for a winnt based server they can | exploit to me.. anyway, obviously its not an acutal problem, but I | figured maybe some of you have had simular issues, and come up with | creative solutions... like with ip tables or something :) | | Jamie _______________________________________________ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug
