LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-07-2003, 05:12 PM   #1
mindcry
Member
 
Registered: Nov 2002
Distribution: Libranet 2.8 Debian Solaris 9
Posts: 118

Rep: Reputation: 15
apache access log


I am not sure if someone it trying to get in my box or not. I have never seen this message before or I could just be dumb. Can anyone tell me about this...


[07/Feb/2003:15:49:52 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 308 "-" "-"

[07/Feb/2003:15:51:28 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 316 "-" "-"

[07/Feb/2003:15:51:33 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 316 "-" "-"

[07/Feb/2003:15:51:34 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0"

[07/Feb/2003:15:51:37 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 347 "-" "-"

[07/Feb/2003:15:51:38 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 347 "-" "-"

[07/Feb/2003:15:51:42 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 363 "-" "-"
 
Old 02-07-2003, 05:15 PM   #2
Proud
Senior Member
 
Registered: Dec 2002
Location: England
Distribution: Used to use Mandrake/Mandriva
Posts: 2,794

Rep: Reputation: 116Reputation: 116
I think they're trying Windows NT exploits... nothing to fear from these fools.
 
Old 02-07-2003, 09:36 PM   #3
Crashed_Again
Senior Member
 
Registered: Dec 2002
Location: Atlantic City, NJ
Distribution: Ubuntu & Arch
Posts: 3,503

Rep: Reputation: 57
Its either the code red or nimda virus trying to take over a windows machine. Don't worry about it.
 
Old 02-10-2003, 09:44 AM   #4
hubergeek
Member
 
Registered: Mar 2002
Location: Hackensack, NJ.
Distribution: RedHat 7.0
Posts: 75

Rep: Reputation: 15
Funny, I just got my Apache server running and got that same event in my access log file.

I've seen this before when I had my Windows 2000 Server, it's probably a virus trying to run cmd.exe in your Windows machine, since I take you don't have Windows, you should not worry about it.
 
Old 02-11-2003, 06:04 AM   #5
Can O' Beans
Member
 
Registered: Nov 2002
Posts: 31

Rep: Reputation: 15
Crashed_Again is right. And, no, we don't have to worry as it is just trying to find working exploits in Windows Webservers, IIS I think.

No affect whatsoever on our Linux/Apache servers other than wasting log space I had tons of those errors the first DAY I setup my server, worried me then too
 
Old 02-12-2003, 09:38 AM   #6
Crashed_Again
Senior Member
 
Registered: Dec 2002
Location: Atlantic City, NJ
Distribution: Ubuntu & Arch
Posts: 3,503

Rep: Reputation: 57
Could we, the linux community, come up with some sort of resolution for this issue? Could we possibly write a script that recognizes these requests and somehow contacts the person infected with this virus? Then we could have a new Linux slogan that went something like, "Linux. Fixing M$ problems one virus at a time."

I would imagine that the people who's servers are infected are not aware of it but then again they could just be malicious people. At least half of my log files are filled with these things and I'm sick of it.

Any ideas on righting a script for this?
 
Old 02-12-2003, 01:17 PM   #7
Proud
Senior Member
 
Registered: Dec 2002
Location: England
Distribution: Used to use Mandrake/Mandriva
Posts: 2,794

Rep: Reputation: 116Reputation: 116
Writing a script eh? I have no experience, but I'd guess you want something to:
trawl the logs for things like that;
then try and work out what (virus) caused it;
then compose an email to the sender.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Strange results in /var/log/apache/access.log subt13 Linux - Security 2 08-03-2004 02:21 PM
apache access log question verbal Linux - Software 3 07-29-2004 12:15 AM
Apache access log ncorreia Linux - Software 2 10-10-2003 05:45 AM
strange apache access.log saturn_vk Linux - Security 1 06-13-2003 05:48 PM
Apache Access Log Crashed_Again Linux - Security 2 01-24-2003 03:57 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:12 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration