Hey I go this from my apache log. I am not sure what this is, but its a broadband connection that has open and unfilterd ports. My static Ip has no domain name so he must have found my personal testing server with a port scan. What should I do (evil grin)

202.25.234.188 - - [19/Oct/2004:03:14:38 -0400] "GET /scripts/nsiislog.dll" 404
340 "-" "-"

doncha love Microsoft IIS scans on an Apache box

I personally like to increase my hands on education by getting to know some of the errant systems that make silly scans like this. Not advocating a hack attempt, just saying you may need to educate yourself at the expense of the offending system.

Everyone that runs a public webserver (including myself) collects logs full of this crap. I don't think these are actually active
script-kiddie attacks, just zombie PCs with no human interaction hammering
away at whatever box they can find.

I get lot's of log entries like:

"GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir"

clearly trying to exploit a windows box. Seems to me any script kiddie that
isn't a *total* idiot will be able to figure out quite easily the OS of his
target, which leads me to believe that it is a zombie PC launching these
"attacks".

The upshot of this is that you can spend 12 hours a day manually tracking down and blocking IP
addresses, and all you really accomplish is blocking an IP, or block of IPs
used by some fool that doesn't know his wintendo box is full of viruses.

My advice: just ignore, and be thankful you run Linux. If you want to sort all
this cruft out of your logs just do something like:

# grep -v ".exe" access_log > good_log

Who ever this is their not smart leaving all these ports open.

Host (202.25.234.188) appears to be up ... good.
Initiating SYN Stealth Scan against (202.25.234.188)
Adding open port 6666/tcp
Adding open port 1025/tcp
Adding open port 21/tcp
Adding open port 49400/tcp
Adding open port 7007/tcp
Adding open port 443/tcp
Adding open port 80/tcp
Adding open port 6667/tcp
Adding open port 6668/tcp
Adding open port 2301/tcp
Adding open port 1026/tcp
The SYN Stealth Scan took 21 seconds to scan 1601 ports.
For OSScan assuming that port 21 is open and port 1 is closed and neither are firewalled
Interesting ports on (202.25.234.188):
(The 1583 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
25/tcp filtered smtp
80/tcp open http
135/tcp filtered loc-srv
139/tcp filtered netbios-ssn
443/tcp open https
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1720/tcp filtered H.323/Q.931
2301/tcp open compaqdiag
4444/tcp filtered krb524
6666/tcp open irc-serv
6667/tcp open irc
6668/tcp open irc
7007/tcp open afs3-bos
49400/tcp open compaqdiag
Remote operating system guess: Windows XP Professional RC1+ through final release
TCP Sequence Prediction: Class=random positive increments
Difficulty=9223 (Worthy challenge)
IPID Sequence Generation: Incremental

Nmap run completed -- 1 IP address (1 host up) scanned in 27 seconds

and now you know why they are scanning you. They were owned a long time ago and as bulliver said, he's now a hapless drone.

I too see these in my logs and used to make the effort when I was bored to try to contact the server owner.....thats a lot of work for little to no value IMHO. Just make sure you are patched and ignore it.