Date: Fri, 22 Feb 2002 10:57:50 -0500 From: "Brent" <brentb@loa.com> To: "Jim Freeze" <jfreeze@freebsdportal.com>, <freebsd-questions@freebsd.org> Subject: Re: Script Kiddies Trying to Hack Me? Message-ID: <006e01c1bbb9$ae40a2e0$37b4a8c0@pretorian> References: <20020222102602.A14033@freebsdportal.com>
next in thread | previous in thread | raw e-mail | index | archive | help
actually ...it looks like someones windows box is infected with "code red" or "nimda" ( im sure without them knowing) ...Anywho...what these 2 worms do is look for winNT IIS webservers....so they actually scan everything running on port 80 ..I see these same kinda of entries in my apache logs. Just to let ya know ....these cant hurt your machine ...as they were intended for winNT boxes. I know theres a way to have apache NOT log those requests...cant recall it off the top of my head though. Bmyster ----- Original Message ----- From: "Jim Freeze" <jfreeze@freebsdportal.com> To: <freebsd-questions@freebsd.org> Sent: Friday, February 22, 2002 10:26 AM Subject: Script Kiddies Trying to Hack Me? > Hi: > > I was just browsing my log files on a site/ip address that has > been live less than 12 hrs and came across: > > 63.219.136.226 - - [22/Feb/2002:09:29:18 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 285 > 63.219.136.226 - - [22/Feb/2002:09:29:18 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 283 > 63.219.136.226 - - [22/Feb/2002:09:29:19 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 293 > 63.219.136.226 - - [22/Feb/2002:09:29:19 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 293 > 63.219.136.226 - - [22/Feb/2002:09:29:19 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 > " 404 307 > > This looks like someone trying to get access to an NT system command, > and my guess is that they are up to no good. > Is this a fair assumption? I would guess that this is fairly > common and that these guys are scanning new machines all the time. > > Makes me want to be sure that I get a firewall up before I put > a machine on the net. > -- > Jim Freeze > "Give some people an attoparsec and > they'll take 16.093 Tera-angstroms" > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?006e01c1bbb9$ae40a2e0$37b4a8c0>