You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Allen May <um...@donet.com> on 2001/12/30 14:49:34 UTC
I'm being scanned... What do I do?
My home network keeps getting scanned by some network trying to get a WinNT
command line.
This log snippet below is from my /etc/httpd/logs/error_log file (see
below). There are 12,614 occurances of this type scan. I don't have a static
IP. I only have one file in my /var/www/html/domains directory... the
default index.html file. I don't have a scripts folder.
Is there anything I can do to trace back to the owner of that computer and
let them know that A) they have a virus or B) ask them to stop filing up my
log.
Thanks
-Allen
[Tue Dec 4 17:06:12 2001] [error] [client 64.105.78.125] File does not
exist: /var/www/html/domains/scripts/..Á../winnt/system32/cmd.exe
[Tue Dec 4 17:06:12 2001] [error] [client 64.105.78.125] File does not
exist: /var/www/html/domains/scripts/..À¯../winnt/system32/cmd.exe
[Tue Dec 4 17:06:12 2001] [error] [client 64.105.78.125] File does not
exist: /var/www/html/domains/scripts/..Á../winnt/system32/cmd.exe
[Tue Dec 4 17:06:13 2001] [error] [client 64.105.78.125] File does not
exist: /var/www/html/domains/scripts/..%5c../winnt/system32/cmd.exe
[Tue Dec 4 17:06:13 2001] [error] [client 64.105.78.125] File does not
exist: /var/www/html/domains/scripts/..%2f../winnt/system32/cmd.exe
[Tue Dec 4 17:28:50 2001] [error] [client 64.105.127.100] File does not
exist: /var/www/html/domains/c/winnt/system32/cmd.exe
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: I'm being scanned... What do I do?
Posted by Alek Andreev <al...@post.com>.
Yet another reason to laught at IIS. I've got similar scans (they never found my secret sub-site though :)) ), but there is nothing to worry about as long as you use Apache..
--
Regards,
Alek Andreev
alek@post.com
----- Original Message -----
From: "Allen May" <um...@donet.com>
To: "Apache" <us...@httpd.apache.org>
Sent: Sunday, December 30, 2001 3:49 PM
Subject: I'm being scanned... What do I do?
> My home network keeps getting scanned by some network trying to get a WinNT
> command line.
>
> This log snippet below is from my /etc/httpd/logs/error_log file (see
> below). There are 12,614 occurances of this type scan. I don't have a static
> IP. I only have one file in my /var/www/html/domains directory... the
> default index.html file. I don't have a scripts folder.
>
> Is there anything I can do to trace back to the owner of that computer and
> let them know that A) they have a virus or B) ask them to stop filing up my
> log.
>
> Thanks
>
> -Allen
>
>
> [Tue Dec 4 17:06:12 2001] [error] [client 64.105.78.125] File does not
> exist: /var/www/html/domains/scripts/..Á../winnt/system32/cmd.exe
> [Tue Dec 4 17:06:12 2001] [error] [client 64.105.78.125] File does not
> exist: /var/www/html/domains/scripts/..À¯../winnt/system32/cmd.exe
> [Tue Dec 4 17:06:12 2001] [error] [client 64.105.78.125] File does not
> exist: /var/www/html/domains/scripts/..Á../winnt/system32/cmd.exe
> [Tue Dec 4 17:06:13 2001] [error] [client 64.105.78.125] File does not
> exist: /var/www/html/domains/scripts/..%5c../winnt/system32/cmd.exe
> [Tue Dec 4 17:06:13 2001] [error] [client 64.105.78.125] File does not
> exist: /var/www/html/domains/scripts/..%2f../winnt/system32/cmd.exe
> [Tue Dec 4 17:28:50 2001] [error] [client 64.105.127.100] File does not
> exist: /var/www/html/domains/c/winnt/system32/cmd.exe
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: I'm being scanned... What do I do?
Posted by Daniel Lopez <da...@rawbyte.com>.
Those computers are infected by a Internet worm and their sysadmins don't
probably even know it.
If you are running mod_perl, try:
http://www.onlamp.com/pub/a/apache/2001/08/16/code_red.html?page=1
If you do not have mode_perl,
http://members.shaw.ca/jobeus/codered.htm
Daniel
> My home network keeps getting scanned by some network trying to get a WinNT
> command line.
>
> This log snippet below is from my /etc/httpd/logs/error_log file (see
> below). There are 12,614 occurances of this type scan. I don't have a static
> IP. I only have one file in my /var/www/html/domains directory... the
> default index.html file. I don't have a scripts folder.
>
> Is there anything I can do to trace back to the owner of that computer and
> let them know that A) they have a virus or B) ask them to stop filing up my
> log.
>
> Thanks
>
> -Allen
>
>
> [Tue Dec 4 17:06:12 2001] [error] [client 64.105.78.125] File does not
> exist: /var/www/html/domains/scripts/..Á../winnt/system32/cmd.exe
> [Tue Dec 4 17:06:12 2001] [error] [client 64.105.78.125] File does not
> exist: /var/www/html/domains/scripts/..À¯../winnt/system32/cmd.exe
> [Tue Dec 4 17:06:12 2001] [error] [client 64.105.78.125] File does not
> exist: /var/www/html/domains/scripts/..Á../winnt/system32/cmd.exe
> [Tue Dec 4 17:06:13 2001] [error] [client 64.105.78.125] File does not
> exist: /var/www/html/domains/scripts/..%5c../winnt/system32/cmd.exe
> [Tue Dec 4 17:06:13 2001] [error] [client 64.105.78.125] File does not
> exist: /var/www/html/domains/scripts/..%2f../winnt/system32/cmd.exe
> [Tue Dec 4 17:28:50 2001] [error] [client 64.105.127.100] File does not
> exist: /var/www/html/domains/c/winnt/system32/cmd.exe
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: I'm being scanned... What do I do?
Posted by Fred Koschara <wf...@L5Development.com>.
> > > > From: "Allen May" <um...@donet.com>
> > > > To: "Apache" <us...@httpd.apache.org>
> > > > Sent: Sunday, December 30, 2001 6:49 AM
> > > > Subject: I'm being scanned... What do I do?
><...>
> > > > > Is there anything I can do to trace back to the owner of that
>computer and let them know that A) they have a virus or B) ask them to stop
>filing up my log.
I've been working on this, effectively continuously, since Daniel Lopez
<da...@rawbyte.com> sent the link to the Apache::MSIISProbes module at
http://www.tonkinresolutions.com/software/perl/Apache/MSIISProbes/ on Sun,
30 Dec 2001 10:15:41 -0800.
Why did it take so long? I didn't have mod_perl installed on my server,
and had to find a bunch of other modules required both by mod_perl itself,
and by Apache::MSIISProbes. In addition, the mod_perl test scripts have
been broken by the latest version of libwww-perl, and I had to figure out
how to make the tests work. (Thanks to Gisle Aas of ActiveState.com for
answering about the problems I was having getting URI::URL recognized in
the test.pm and hooks.t modules.) I use a custom configuration script to
build Apache, and had to figure out how to integrate mod_perl into it, and
into the httpd.conf module list, neither of which are documented anywhere I
can find - I adapted some of the work I did in setting up PHP. I would
write a checklist procedure for doing the whole process, but it's left me
exhausted by now, and tomorrow there will be other dragons that need
slaying, so I suspect I'll never get back to writing the documentation.
During the afternoon, I also looked at Earl Bird v2.6, another reporting
option found at http://www.treachery.net/~jdyson/earlybird/ which I did not
finish installing. In retrospect, considering the amount of effort needed
to get mod_perl working, I think Early Bird would have been a better
choice. Its problem, in my opinion, is that it requires that "ExecCGI" is
enabled for your document root - which is not necessarily the best security
position. It is, however, a fairly self-contained package, and would have
been relatively easy to install if I hadn't already been waist-deep into
the mod_perl setup. I also think Early Bird's reporting facilities are
better, if the documentation is correct.
Apache/*nix is safe from infection by the IIS worms, it's true, but the
worms do plug up the network with their traffic, as well as filling our
logs. It's in our best interest to let the infected system's
administrators know they've got a problem, so using one of these tools is
highly recommended, IMHO.
-- Fred Koschara, President
L5 Development Group
________________________________________________________________________
For private sector (commercial) space development, visit
http://www.L5Development.com
L5 Software Development - "out of this world" sites and software
http://www.L5Software.com
StudioLines.com - Your place on the Internet for local music
Music, feedback, connections. Tap the power of the Internet!
http://www.StudioLines.com
How much did your last traffic ticket cost you?
http://www.StopHighwayRobbery.com
ThmIndxr(tm), the *only* HTML thumbnail/indexer you need!
http://www.L5Software.com/go?ThmIndxr
wCapLock(tm), makes CapsLock work like it does on a typewriter
http://www.L5Software.com/go?wCapLock
KeywordGo(tm), provides keyword access to your popular pages
http://www.L5Software.com/go?KeywordGo
BannerAds(tm), join multiple affiliate programs with one banner
http://www.L5Software.com/go?BannerAds
My personal Web page is http://www.L5Development.com/wfredk
Stop by some time!
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: I'm being scanned... What do I do?
Posted by Jeff Burns <jb...@jeffburns.org>.
Understandable, lot's of ISP's get mad, but network security includes
network responsibility in my opinion.
----- Original Message -----
From: "Webmaster" <we...@rolysvirtualpets.com>
To: <us...@httpd.apache.org>
Sent: Sunday, December 30, 2001 2:36 PM
Subject: Re: I'm being scanned... What do I do?
> If i had that module Abovenet Communications would get mad.
>
> Webmaster wrote:
> >
> > my system gets about 1000-2000 Code red and Nimda scans per week.
> >
> > Jeff Burns wrote:
> > >
> > > hmmmm Nimda....fun stuff.
> > > Try this site. http://www.treachery.net/~jdyson/earlybird/
> > >
> > > He has an add-in for apache that responds to Nimda and Code Red scans
via
> > > email to the owner of the netblock according to the Arin database.
You
> > > won't likely get a REAL response from the owner but at least you've
done
> > > your part to notify the owner.
> > >
> > > Simple installation, and config. Even I was able to do it!
> > >
> > > Thanx, Jef
> > > ----- Original Message -----
> > > From: "Allen May" <um...@donet.com>
> > > To: "Apache" <us...@httpd.apache.org>
> > > Sent: Sunday, December 30, 2001 6:49 AM
> > > Subject: I'm being scanned... What do I do?
> > >
> > > > My home network keeps getting scanned by some network trying to get
a
> > > WinNT
> > > > command line.
> > > >
> > > > This log snippet below is from my /etc/httpd/logs/error_log file
(see
> > > > below). There are 12,614 occurances of this type scan. I don't have
a
> > > static
> > > > IP. I only have one file in my /var/www/html/domains directory...
the
> > > > default index.html file. I don't have a scripts folder.
> > > >
> > > > Is there anything I can do to trace back to the owner of that
computer and
> > > > let them know that A) they have a virus or B) ask them to stop
filing up
> > > my
> > > > log.
> > > >
> > > > Thanks
> > > >
> > > > -Allen
> > > >
> > > >
> > > > [Tue Dec 4 17:06:12 2001] [error] [client 64.105.78.125] File does
not
> > > > exist: /var/www/html/domains/scripts/..Á../winnt/system32/cmd.exe
> > > > [Tue Dec 4 17:06:12 2001] [error] [client 64.105.78.125] File does
not
> > > > exist: /var/www/html/domains/scripts/..À¯../winnt/system32/cmd.exe
> > > > [Tue Dec 4 17:06:12 2001] [error] [client 64.105.78.125] File does
not
> > > > exist: /var/www/html/domains/scripts/..Á../winnt/system32/cmd.exe
> > > > [Tue Dec 4 17:06:13 2001] [error] [client 64.105.78.125] File does
not
> > > > exist: /var/www/html/domains/scripts/..%5c../winnt/system32/cmd.exe
> > > > [Tue Dec 4 17:06:13 2001] [error] [client 64.105.78.125] File does
not
> > > > exist: /var/www/html/domains/scripts/..%2f../winnt/system32/cmd.exe
> > > > [Tue Dec 4 17:28:50 2001] [error] [client 64.105.127.100] File does
not
> > > > exist: /var/www/html/domains/c/winnt/system32/cmd.exe
> > > >
> > > >
> > > >
> > >
> ---------------------------------------------------------------------
> > > > The official User-To-User support forum of the Apache HTTP Server
Project.
> > > > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > > > For additional commands, e-mail: users-help@httpd.apache.org
> > >
> > > ---------------------------------------------------------------------
> > > The official User-To-User support forum of the Apache HTTP Server
Project.
> > > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > > For additional commands, e-mail: users-help@httpd.apache.org
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: I'm being scanned... What do I do?
Posted by Webmaster <we...@rolysvirtualpets.com>.
If i had that module Abovenet Communications would get mad.
Webmaster wrote:
>
> my system gets about 1000-2000 Code red and Nimda scans per week.
>
> Jeff Burns wrote:
> >
> > hmmmm Nimda....fun stuff.
> > Try this site. http://www.treachery.net/~jdyson/earlybird/
> >
> > He has an add-in for apache that responds to Nimda and Code Red scans via
> > email to the owner of the netblock according to the Arin database. You
> > won't likely get a REAL response from the owner but at least you've done
> > your part to notify the owner.
> >
> > Simple installation, and config. Even I was able to do it!
> >
> > Thanx, Jef
> > ----- Original Message -----
> > From: "Allen May" <um...@donet.com>
> > To: "Apache" <us...@httpd.apache.org>
> > Sent: Sunday, December 30, 2001 6:49 AM
> > Subject: I'm being scanned... What do I do?
> >
> > > My home network keeps getting scanned by some network trying to get a
> > WinNT
> > > command line.
> > >
> > > This log snippet below is from my /etc/httpd/logs/error_log file (see
> > > below). There are 12,614 occurances of this type scan. I don't have a
> > static
> > > IP. I only have one file in my /var/www/html/domains directory... the
> > > default index.html file. I don't have a scripts folder.
> > >
> > > Is there anything I can do to trace back to the owner of that computer and
> > > let them know that A) they have a virus or B) ask them to stop filing up
> > my
> > > log.
> > >
> > > Thanks
> > >
> > > -Allen
> > >
> > >
> > > [Tue Dec 4 17:06:12 2001] [error] [client 64.105.78.125] File does not
> > > exist: /var/www/html/domains/scripts/..Á../winnt/system32/cmd.exe
> > > [Tue Dec 4 17:06:12 2001] [error] [client 64.105.78.125] File does not
> > > exist: /var/www/html/domains/scripts/..À¯../winnt/system32/cmd.exe
> > > [Tue Dec 4 17:06:12 2001] [error] [client 64.105.78.125] File does not
> > > exist: /var/www/html/domains/scripts/..Á../winnt/system32/cmd.exe
> > > [Tue Dec 4 17:06:13 2001] [error] [client 64.105.78.125] File does not
> > > exist: /var/www/html/domains/scripts/..%5c../winnt/system32/cmd.exe
> > > [Tue Dec 4 17:06:13 2001] [error] [client 64.105.78.125] File does not
> > > exist: /var/www/html/domains/scripts/..%2f../winnt/system32/cmd.exe
> > > [Tue Dec 4 17:28:50 2001] [error] [client 64.105.127.100] File does not
> > > exist: /var/www/html/domains/c/winnt/system32/cmd.exe
> > >
> > >
> > >
> > > ---------------------------------------------------------------------
> > > The official User-To-User support forum of the Apache HTTP Server Project.
> > > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > > For additional commands, e-mail: users-help@httpd.apache.org
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: I'm being scanned... What do I do?
Posted by Webmaster <we...@rolysvirtualpets.com>.
my system gets about 1000-2000 Code red and Nimda scans per week.
Jeff Burns wrote:
>
> hmmmm Nimda....fun stuff.
> Try this site. http://www.treachery.net/~jdyson/earlybird/
>
> He has an add-in for apache that responds to Nimda and Code Red scans via
> email to the owner of the netblock according to the Arin database. You
> won't likely get a REAL response from the owner but at least you've done
> your part to notify the owner.
>
> Simple installation, and config. Even I was able to do it!
>
> Thanx, Jef
> ----- Original Message -----
> From: "Allen May" <um...@donet.com>
> To: "Apache" <us...@httpd.apache.org>
> Sent: Sunday, December 30, 2001 6:49 AM
> Subject: I'm being scanned... What do I do?
>
> > My home network keeps getting scanned by some network trying to get a
> WinNT
> > command line.
> >
> > This log snippet below is from my /etc/httpd/logs/error_log file (see
> > below). There are 12,614 occurances of this type scan. I don't have a
> static
> > IP. I only have one file in my /var/www/html/domains directory... the
> > default index.html file. I don't have a scripts folder.
> >
> > Is there anything I can do to trace back to the owner of that computer and
> > let them know that A) they have a virus or B) ask them to stop filing up
> my
> > log.
> >
> > Thanks
> >
> > -Allen
> >
> >
> > [Tue Dec 4 17:06:12 2001] [error] [client 64.105.78.125] File does not
> > exist: /var/www/html/domains/scripts/..Á../winnt/system32/cmd.exe
> > [Tue Dec 4 17:06:12 2001] [error] [client 64.105.78.125] File does not
> > exist: /var/www/html/domains/scripts/..À¯../winnt/system32/cmd.exe
> > [Tue Dec 4 17:06:12 2001] [error] [client 64.105.78.125] File does not
> > exist: /var/www/html/domains/scripts/..Á../winnt/system32/cmd.exe
> > [Tue Dec 4 17:06:13 2001] [error] [client 64.105.78.125] File does not
> > exist: /var/www/html/domains/scripts/..%5c../winnt/system32/cmd.exe
> > [Tue Dec 4 17:06:13 2001] [error] [client 64.105.78.125] File does not
> > exist: /var/www/html/domains/scripts/..%2f../winnt/system32/cmd.exe
> > [Tue Dec 4 17:28:50 2001] [error] [client 64.105.127.100] File does not
> > exist: /var/www/html/domains/c/winnt/system32/cmd.exe
> >
> >
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: I'm being scanned... What do I do?
Posted by Jeff Burns <jb...@jeffburns.org>.
hmmmm Nimda....fun stuff.
Try this site. http://www.treachery.net/~jdyson/earlybird/
He has an add-in for apache that responds to Nimda and Code Red scans via
email to the owner of the netblock according to the Arin database. You
won't likely get a REAL response from the owner but at least you've done
your part to notify the owner.
Simple installation, and config. Even I was able to do it!
Thanx, Jef
----- Original Message -----
From: "Allen May" <um...@donet.com>
To: "Apache" <us...@httpd.apache.org>
Sent: Sunday, December 30, 2001 6:49 AM
Subject: I'm being scanned... What do I do?
> My home network keeps getting scanned by some network trying to get a
WinNT
> command line.
>
> This log snippet below is from my /etc/httpd/logs/error_log file (see
> below). There are 12,614 occurances of this type scan. I don't have a
static
> IP. I only have one file in my /var/www/html/domains directory... the
> default index.html file. I don't have a scripts folder.
>
> Is there anything I can do to trace back to the owner of that computer and
> let them know that A) they have a virus or B) ask them to stop filing up
my
> log.
>
> Thanks
>
> -Allen
>
>
> [Tue Dec 4 17:06:12 2001] [error] [client 64.105.78.125] File does not
> exist: /var/www/html/domains/scripts/..Á../winnt/system32/cmd.exe
> [Tue Dec 4 17:06:12 2001] [error] [client 64.105.78.125] File does not
> exist: /var/www/html/domains/scripts/..À¯../winnt/system32/cmd.exe
> [Tue Dec 4 17:06:12 2001] [error] [client 64.105.78.125] File does not
> exist: /var/www/html/domains/scripts/..Á../winnt/system32/cmd.exe
> [Tue Dec 4 17:06:13 2001] [error] [client 64.105.78.125] File does not
> exist: /var/www/html/domains/scripts/..%5c../winnt/system32/cmd.exe
> [Tue Dec 4 17:06:13 2001] [error] [client 64.105.78.125] File does not
> exist: /var/www/html/domains/scripts/..%2f../winnt/system32/cmd.exe
> [Tue Dec 4 17:28:50 2001] [error] [client 64.105.127.100] File does not
> exist: /var/www/html/domains/c/winnt/system32/cmd.exe
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: I'm being scanned... What do I do?
Posted by "J.D. Bronson" <li...@xpec.com>.
Looks like the NIMDA worm at work :)
At 07:49 AM 12/30/2001, you wrote:
>My home network keeps getting scanned by some network trying to get a WinNT
>command line.
>
>This log snippet below is from my /etc/httpd/logs/error_log file (see
>below). There are 12,614 occurances of this type scan. I don't have a static
>IP. I only have one file in my /var/www/html/domains directory... the
>default index.html file. I don't have a scripts folder.
>
>Is there anything I can do to trace back to the owner of that computer and
>let them know that A) they have a virus or B) ask them to stop filing up my
>log.
>
>Thanks
>
>-Allen
>
>
>[Tue Dec 4 17:06:12 2001] [error] [client 64.105.78.125] File does not
>exist: /var/www/html/domains/scripts/..Á../winnt/system32/cmd.exe
>[Tue Dec 4 17:06:12 2001] [error] [client 64.105.78.125] File does not
>exist: /var/www/html/domains/scripts/..À¯../winnt/system32/cmd.exe
>[Tue Dec 4 17:06:12 2001] [error] [client 64.105.78.125] File does not
>exist: /var/www/html/domains/scripts/..Á../winnt/system32/cmd.exe
>[Tue Dec 4 17:06:13 2001] [error] [client 64.105.78.125] File does not
>exist: /var/www/html/domains/scripts/..%5c../winnt/system32/cmd.exe
>[Tue Dec 4 17:06:13 2001] [error] [client 64.105.78.125] File does not
>exist: /var/www/html/domains/scripts/..%2f../winnt/system32/cmd.exe
>[Tue Dec 4 17:28:50 2001] [error] [client 64.105.127.100] File does not
>exist: /var/www/html/domains/c/winnt/system32/cmd.exe
>
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org