Hello! I've got this really annoying problem in my apache server logs, in both "/var/log/apache/access_log and in /var/log/apache/error_log
I don't know if this is much of a security problem (although if I were running another OS it might be
) but I am more wondering how to have these not even show up in my logs, or filter them into another log such as /dev/null or something. I've taken some exerpts from both log files so you can get a feel for what I am talking about
:
From /var/log/apache/access_log:
Code:
4.65.236.42 - - [05/Feb/2003:16:54:20 -0800] "GET /scripts/..%c1%1c../winnt/syst
em32/cmd.exe?/c+dir HTTP/1.0" 404 305
4.65.236.42 - - [05/Feb/2003:16:54:24 -0800] "GET /scripts/..%c0%2f../winnt/syst
em32/cmd.exe?/c+dir HTTP/1.0" 404 305
4.65.236.42 - - [05/Feb/2003:16:54:27 -0800] "GET /scripts/..%c0%af../winnt/syst
em32/cmd.exe?/c+dir HTTP/1.0" 404 305
4.65.236.42 - - [05/Feb/2003:16:54:32 -0800] "GET /scripts/..%c1%9c../winnt/syst
em32/cmd.exe?/c+dir HTTP/1.0" 404 305
4.65.236.42 - - [05/Feb/2003:16:54:34 -0800] "GET /scripts/..%%35%63../winnt/sys
tem32/cmd.exe?/c+dir HTTP/1.0" 400 289
4.65.236.42 - - [05/Feb/2003:16:54:36 -0800] "GET /scripts/..%%35c../winnt/syste
m32/cmd.exe?/c+dir HTTP/1.0" 400 289
And more from /var/log/apache/access_log:
Code:
.65.194.47 - - [05/Feb/2003:16:24:44 -0800] "GET /scripts/..%25%35%63../winnt/s
ystem32/cmd.exe?/c+dir HTTP/1.0" 404 306
4.65.194.47 - - [05/Feb/2003:16:24:45 -0800] "GET /scripts/..%252f../winnt/syste
m32/cmd.exe?/c+dir HTTP/1.0" 404 306
4.65.236.42 - - [05/Feb/2003:16:53:53 -0800] "GET /scripts/root.exe?/c+dir HTTP/
1.0" 404 284
4.65.236.42 - - [05/Feb/2003:16:53:56 -0800] "GET /MSADC/root.exe?/c+dir HTTP/1.
0" 404 282
4.65.236.42 - - [05/Feb/2003:16:54:00 -0800] "GET /c/winnt/system32/cmd.exe?/c+d
ir HTTP/1.0" 404 292
4.65.236.42 - - [05/Feb/2003:16:54:03 -0800] "GET /d/winnt/system32/cmd.exe?/c+d
ir HTTP/1.0" 404 292
4.65.236.42 - - [05/Feb/2003:16:54:07 -0800] "GET /scripts/..%255c../winnt/syste
m32/cmd.exe?/c+dir HTTP/1.0" 404 306
4.65.236.42 - - [05/Feb/2003:16:54:10 -0800] "GET /_vti_bin/..%255c../..%255c../
..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 323
4.65.236.42 - - [05/Feb/2003:16:54:13 -0800] "GET /_mem_bin/..%255c../..%255c../
..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 323
4.65.236.42 - - [05/Feb/2003:16:54:17 -0800] "GET /msadc/..%255c../..%255c../..%
255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 40
4 339
From /var/log/apache/error_log:
Code:
[Sun Jan 19 06:57:38 2003] [error] [client 4.65.71.160] File does not exist: /va
r/www/htdocs/c/winnt/system32/cmd.exe
[Sun Jan 19 06:57:39 2003] [error] [client 4.65.71.160] File does not exist: /va
r/www/htdocs/d/winnt/system32/cmd.exe
[Sun Jan 19 06:57:40 2003] [error] [client 4.65.71.160] File does not exist: /va
r/www/htdocs/scripts/..%5c../winnt/system32/cmd.exe
[Sun Jan 19 06:57:40 2003] [error] [client 4.65.71.160] File does not exist: /va
r/www/htdocs/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Sun Jan 19 06:57:41 2003] [error] [client 4.65.71.160] File does not exist: /va
r/www/htdocs/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
I am guessing it's some sort of virus for winbloze.
Anyway, anyone got any ideas on how to rid my logs of the flaws of others
Cool