LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   access.log:Possible Hack attempt? (https://www.linuxquestions.org/questions/linux-security-4/access-log-possible-hack-attempt-10844/)

plisken 12-30-2001 12:58 PM
access.log:Possible Hack attempt?
 
Please find below a few lines from my access.log file from apache:

.62.245.144.38 - - [30/Dec/2001:06:34:32 +0000] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 286
62.245.144.38 - - [30/Dec/2001:06:34:32 +0000] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 286
62.245.144.38 - - [30/Dec/2001:06:34:32 +0000] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303
62.245.144.38 - - [30/Dec/2001:06:34:32 +0000] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303


Could some one shed some light on this, is this an attempted attack of some form?

Thanks

Harry

bluecadet 12-30-2001 01:15 PM
that's just code red / blue trying to attack M$'s IIS server. Every running apache in the world probably logs at least 5 of those attacks every single day.

i've had at least 12 so far today. i'd guess some prominent servers get literally thuosands every day at the moment.

don't worry about it. just laugh.

Linux_Native 01-03-2002 05:58 AM
Haha!!
 
Sit back .. and enjoy the fact that you run linux :D

weblion 01-03-2002 04:53 PM
Damn. Okay, third try.
I'm actually running Apache via Windows until I get my other computer working and Apache set up under linux on this comp. And in the 3 days since it went online, there have been no reports of the virus.

anoop_chandran 01-04-2002 01:31 AM
hi,
let me tell u that my apache access.log contains so many of these lines .. . bluecadet said he had 12 so far .. does each line in the log file indicate an attack?or a bunch of lines ....?how do u get that..

we have a IP in the log is it of any use ...?

unSpawn 01-04-2002 02:40 PM
Yes Anoop_chandran, each complete line represents one request made to that server, so each line can be considered an attack.

An IP address can be a spoofed address or a compromised host (human or by worm) or if they're stupid, their real addy.

If you wanted to do The Good Thing you could fire off a warning message to their upstream provider notifying them of the intrusion attempts.
Just don't expect any replies, cuz the adm staff usually is too busy doin Other Important Things, and since those stupid wintendo firewalls started making automated attack notifications noone (at ISP's) really bothers with them.


All times are GMT -5. The time now is 08:08 PM.