From owner-freebsd-questions Fri Feb 22 7:39:58 2002 Delivered-To: freebsd-questions@freebsd.org Received: from trinity.magpage.com (trinity.magpage.com [216.155.0.8]) by hub.freebsd.org (Postfix) with ESMTP id 7CB2437B402 for ; Fri, 22 Feb 2002 07:39:52 -0800 (PST) Received: from magpage.com (dfrazier@poomba.magpage.com [216.155.24.136]) by trinity.magpage.com (8.11.6/8.11.3) with ESMTP id g1MFdoR10486; Fri, 22 Feb 2002 10:39:50 -0500 (EST) Message-ID: <3C766646.3060700@magpage.com> Date: Fri, 22 Feb 2002 10:39:50 -0500 From: Daniel Frazier User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.7) Gecko/20020110 X-Accept-Language: en-us MIME-Version: 1.0 To: Jim Freeze Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Script Kiddies Trying to Hack Me? References: <20020222102602.A14033@freebsdportal.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-RRT-Status: UNKNOWN Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Jim Freeze wrote: > Hi: > > I was just browsing my log files on a site/ip address that has > been live less than 12 hrs and came across: > > 63.219.136.226 - - [22/Feb/2002:09:29:18 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 285 > 63.219.136.226 - - [22/Feb/2002:09:29:18 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 283 > 63.219.136.226 - - [22/Feb/2002:09:29:19 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 293 > 63.219.136.226 - - [22/Feb/2002:09:29:19 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 293 > 63.219.136.226 - - [22/Feb/2002:09:29:19 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 > " 404 307 > > This looks like someone trying to get access to an NT system command, > and my guess is that they are up to no good. > Is this a fair assumption? I would guess that this is fairly > common and that these guys are scanning new machines all the time. > > Makes me want to be sure that I get a firewall up before I put > a machine on the net. > 63.219.136.226 is a Winblows ME box and is infected with a virus/worm that's trying to propagate itself. not to worry... -- ---------------------------------------------------------------------- Daniel Frazier Tel: 302-239-5900 Ext. 231 Systems Administrator Fax: 302-239-3909 MAGPAGE, We Power the Internet WWW: http://www.magpage.com/ "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin, Historical Review of Pennsylvania, 1759. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message