Date: Fri, 22 Feb 2002 06:38:54 -0900 From: Beech Rintoul <akbeech@anchoragerescue.org> To: Jim Freeze <jfreeze@freebsdportal.com>, freebsd-questions@freebsd.org Subject: Re: Script Kiddies Trying to Hack Me? Message-ID: <20020222153855.23072AA@nebula.anchoragerescue.org> In-Reply-To: <20020222102602.A14033@freebsdportal.com> References: <20020222102602.A14033@freebsdportal.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Friday 22 February 2002 06:26 am, Jim Freeze wrote: > Hi: > > I was just browsing my log files on a site/ip address that has > been live less than 12 hrs and came across: > > 63.219.136.226 - - [22/Feb/2002:09:29:18 -0500] "GET > /scripts/root.exe?/c+dir HTTP/1.0" 404 285 63.219.136.226 - - > [22/Feb/2002:09:29:18 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 283 > 63.219.136.226 - - [22/Feb/2002:09:29:19 -0500] "GET > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 293 63.219.136.226 - - > [22/Feb/2002:09:29:19 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir > HTTP/1.0" 404 293 63.219.136.226 - - [22/Feb/2002:09:29:19 -0500] "GET > /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 " 404 307 > > This looks like someone trying to get access to an NT system command, > and my guess is that they are up to no good. > Is this a fair assumption? I would guess that this is fairly > common and that these guys are scanning new machines all the time. > > Makes me want to be sure that I get a firewall up before I put > a machine on the net. What you're seeing is a code red or nimda scan. Besides filling up your httpd logs, that only affects an unpatched micro$oft IIS server. These days I wouldn't put a machine on the net for 5 minutes without security in place. Beech -- ------------------------------------------------------------------- Beech Rintoul - IT Manager - Instructor - akbeech@anchoragerescue.org /"\ ASCII Ribbon Campaign | Anchorage Gospel Rescue Mission \ / - NO HTML/RTF in e-mail | P.O. Box 230510 X - NO Word docs in e-mail | Anchorage, AK 99523-0510 / \ ----------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020222153855.23072AA>