Re: Being cracked? (need help on apache log files)
High,
On Mon, 29 Oct 2001, Ole Sebastian Stein wrote:
> We just got our ADSL and now have a server running Apache on a potato box
> at home. DynDNS provides us with dynamic dns.
>
> Today I found these lines in my acces.log:
>
> 213.133.35.205 - - [29/Oct/2001:12:54:40 +0100] "GET /scripts/root.exe?/c+dir HT
> TP/1.0" 404 210
> 213.133.35.205 - - [29/Oct/2001:12:54:41 +0100] "GET /MSADC/root.exe?/c+dir HTTP
> /1.0" 404 208
> 213.133.35.205 - - [29/Oct/2001:12:54:41 +0100] "GET /c/winnt/system32/cmd.exe?/
> c+dir HTTP/1.0" 404 218
> 213.133.35.205 - - [29/Oct/2001:12:54:41 +0100] "GET /d/winnt/system32/cmd.exe?/
> c+dir HTTP/1.0" 404 218
> 213.133.35.205 - - [29/Oct/2001:12:54:41 +0100] "GET /scripts/..%255c../winnt/sy
> stem32/cmd.exe?/c+dir HTTP/1.0" 404 232
> 213.133.35.205 - - [29/Oct/2001:12:54:41 +0100] "GET /_vti_bin/..%255c../..%255c
> ../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249
> 213.133.35.205 - - [29/Oct/2001:12:54:41 +0100] "GET /_mem_bin/..%255c../..%255c
> ../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249
>
> and so on. To me it looks as if 213.145.168.244 is trying
> to execute some file giving him root access. Are someone trying to
> crack my machine? What should I do?
>
Looks like a harmless attempt, because it tries to open M$ files. If this
goes on and on you might want to block acces from that host. Perhaps a
previous user of your ip had a warez ftp server and people try to login to
download stuff. Look from where the attack is coming:
$ host 213.145.168.244
Name: 213-145-168-244.dd.nextgentel.com
Address: 213.145.168.244
and send a mail to abuse@nextgentel.com to inform them.
Greetz,
Sebastiaan
Reply to: