LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   apache access log (https://www.linuxquestions.org/questions/linux-security-4/apache-access-log-44503/)

mindcry 02-07-2003 04:12 PM
apache access log
 
I am not sure if someone it trying to get in my box or not. I have never seen this message before or I could just be dumb. Can anyone tell me about this...


[07/Feb/2003:15:49:52 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 308 "-" "-"

[07/Feb/2003:15:51:28 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 316 "-" "-"

[07/Feb/2003:15:51:33 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 316 "-" "-"

[07/Feb/2003:15:51:34 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0"

[07/Feb/2003:15:51:37 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 347 "-" "-"

[07/Feb/2003:15:51:38 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 347 "-" "-"

[07/Feb/2003:15:51:42 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 363 "-" "-"

Proud 02-07-2003 04:15 PM
I think they're trying Windows NT exploits... nothing to fear from these fools. :)

Crashed_Again 02-07-2003 08:36 PM
Its either the code red or nimda virus trying to take over a windows machine. Don't worry about it.

hubergeek 02-10-2003 08:44 AM
Funny, I just got my Apache server running and got that same event in my access log file.

I've seen this before when I had my Windows 2000 Server, it's probably a virus trying to run cmd.exe in your Windows machine, since I take you don't have Windows, you should not worry about it.

Can O' Beans 02-11-2003 05:04 AM
Crashed_Again is right. And, no, we don't have to worry as it is just trying to find working exploits in Windows Webservers, IIS I think.

No affect whatsoever on our Linux/Apache servers other than wasting log space ;) I had tons of those errors the first DAY I setup my server, worried me then too :)

Crashed_Again 02-12-2003 08:38 AM
Could we, the linux community, come up with some sort of resolution for this issue? Could we possibly write a script that recognizes these requests and somehow contacts the person infected with this virus? Then we could have a new Linux slogan that went something like, "Linux. Fixing M$ problems one virus at a time."

I would imagine that the people who's servers are infected are not aware of it but then again they could just be malicious people. At least half of my log files are filled with these things and I'm sick of it.

Any ideas on righting a script for this?

Proud 02-12-2003 12:17 PM
Writing a script eh? I have no experience, but I'd guess you want something to:
trawl the logs for things like that;
then try and work out what (virus) caused it;
then compose an email to the sender. :)


All times are GMT -5. The time now is 01:43 AM.