LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-31-2003, 01:56 PM   #1
grizzly
Member
 
Registered: Jun 2003
Distribution: Slackware 9.1, Solaris 9, and IPcop
Posts: 101

Rep: Reputation: 15
Apache log question--What is this?


I browse my apache logs every couple of days and I have been finding some entries that I do not know what it is. If you know could you please enlighten me?

[20/Aug/2003:13:25:49 -0700] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 -

[20/Aug/2003:20:52:25 -0700] "GET /scripts/nsiislog.dll" 404 -

[21/Aug/2003:00:07:51 -0700] "GET /scripts/nsiislog.dll" 404 -

[21/Aug/2003:00:25:56 -0700] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 276

[21/Aug/2003:00:25:57 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 274

[21/Aug/2003:00:25:57 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284

[21/Aug/2003:00:25:57 -0700] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284

Is this the way some browsers work, or is this someone or something (worm) trying to mess with the system?

Last edited by grizzly; 08-31-2003 at 01:57 PM.
 
Old 08-31-2003, 02:06 PM   #2
david_ross
Moderator
 
Registered: Mar 2003
Location: Scotland
Distribution: Slackware, RedHat, Debian
Posts: 12,047

Rep: Reputation: 66
It looks like your server is being hit by a virus designed to crack IIS (microsofts web server). It will have no affect on your system except for preformance if you are getting lots of these hits. If it is mainly one IP then I would inform the owner and possibly put a block on that IP using iptables or hosts.deny
 
Old 08-31-2003, 02:32 PM   #3
grizzly
Member
 
Registered: Jun 2003
Distribution: Slackware 9.1, Solaris 9, and IPcop
Posts: 101

Original Poster
Rep: Reputation: 15
Thank You for the quick reply. After reading the post, I went through and examined a little closer. I do have like 30+ of these by about 20 different IP's. One I did not list looks like they were trying a buffer overflow type thing. I have a few IP's where several came from, so I think I will write to these and let them know. This is my first time doing this type of thing, so I do have one question. Should I include the entry from the log file showing what I am refering to?
 
Old 08-31-2003, 02:40 PM   #4
david_ross
Moderator
 
Registered: Mar 2003
Location: Scotland
Distribution: Slackware, RedHat, Debian
Posts: 12,047

Rep: Reputation: 66
Yes I would, but I wouldn't offer your IP address/hostname in the first instance incase it is being done maliciously and this worsens the problem. IT is possible that the people that look after those machines are none the wiser and that the virus is resident in their system.
 
Old 09-02-2003, 02:18 PM   #5
Rumblefish
Member
 
Registered: Jun 2003
Location: Delaware
Distribution: Redhat 7.0, 7.2, 8.0, 9.0, FreeBSD 4.6.2
Posts: 51

Rep: Reputation: 15
I used to have a FreeBSD server co-located at a place that was known to be entirely Windows 2k based. He got cracked all the time until he switched over at my urging; however, I recieved the same sort of log entries as you are. Basically it's "script kiddies" trying to find a vulnerable system on a network with software designed to exploit Windows. You need to start worrying only when it stops making reference to a Windows-ish directory structure and DLLs. Still, for your benefit, lock down your system as much as possible (shut down unneeded services, disable telnet, etc.)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
apache log formatch question whysyn Linux - Software 1 11-07-2005 10:27 AM
Apache Log file question. GarroteYou Linux - Security 8 10-24-2004 05:51 AM
apache access log question verbal Linux - Software 3 07-28-2004 11:15 PM
newb apache log question spooge Linux - Security 1 03-08-2003 07:14 PM
Apache log Question kobe Linux - General 11 09-05-2002 10:53 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:17 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration