access.log:Possible Hack attempt?

plisken · 12-30-2001, 12:58 PM

Please find below a few lines from my access.log file from apache:

.62.245.144.38 - - [30/Dec/2001:06:34:32 +0000] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 286
62.245.144.38 - - [30/Dec/2001:06:34:32 +0000] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 286
62.245.144.38 - - [30/Dec/2001:06:34:32 +0000] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303
62.245.144.38 - - [30/Dec/2001:06:34:32 +0000] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303

Could some one shed some light on this, is this an attempted attack of some form?

Thanks

Harry

bluecadet · 12-30-2001, 01:15 PM

that's just code red / blue trying to attack M$'s IIS server. Every running apache in the world probably logs at least 5 of those attacks every single day.

i've had at least 12 so far today. i'd guess some prominent servers get literally thuosands every day at the moment.

don't worry about it. just laugh.

Linux_Native · 01-03-2002, 05:58 AM

Sit back .. and enjoy the fact that you run linux

weblion · 01-03-2002, 04:53 PM

Damn. Okay, third try.
I'm actually running Apache via Windows until I get my other computer working and Apache set up under linux on this comp. And in the 3 days since it went online, there have been no reports of the virus.

anoop_chandran · 01-04-2002, 01:31 AM

hi,
let me tell u that my apache access.log contains so many of these lines .. . bluecadet said he had 12 so far .. does each line in the log file indicate an attack?or a bunch of lines ....?how do u get that..

we have a IP in the log is it of any use ...?

unSpawn · 01-04-2002, 02:40 PM

Yes Anoop_chandran, each complete line represents one request made to that server, so each line can be considered an attack.

An IP address can be a spoofed address or a compromised host (human or by worm) or if they're stupid, their real addy.

If you wanted to do The Good Thing you could fire off a warning message to their upstream provider notifying them of the intrusion attempts.
Just don't expect any replies, cuz the adm staff usually is too busy doin Other Important Things, and since those stupid wintendo firewalls started making automated attack notifications noone (at ISP's) really bothers with them.