From owner-freebsd-questions Fri Feb 22 7:57:30 2002 Delivered-To: freebsd-questions@freebsd.org Received: from pickup4-ld.pvd.loa.net (pickup.loa.com [199.171.167.59]) by hub.freebsd.org (Postfix) with SMTP id 66D0837B417 for ; Fri, 22 Feb 2002 07:57:27 -0800 (PST) Received: (qmail 18438 invoked by uid 0); 22 Feb 2002 15:57:25 -0000 Received: from unknown (HELO pretorian) (208.130.43.221) by pickup4-ld.pvd.loa.net with SMTP; 22 Feb 2002 15:57:25 -0000 Message-ID: <006e01c1bbb9$ae40a2e0$37b4a8c0@pretorian> From: "Brent" To: "Jim Freeze" , References: <20020222102602.A14033@freebsdportal.com> Subject: Re: Script Kiddies Trying to Hack Me? Date: Fri, 22 Feb 2002 10:57:50 -0500 Organization: Log On America MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG actually ...it looks like someones windows box is infected with "code red" or "nimda" ( im sure without them knowing) ...Anywho...what these 2 worms do is look for winNT IIS webservers....so they actually scan everything running on port 80 ..I see these same kinda of entries in my apache logs. Just to let ya know ....these cant hurt your machine ...as they were intended for winNT boxes. I know theres a way to have apache NOT log those requests...cant recall it off the top of my head though. Bmyster ----- Original Message ----- From: "Jim Freeze" To: Sent: Friday, February 22, 2002 10:26 AM Subject: Script Kiddies Trying to Hack Me? > Hi: > > I was just browsing my log files on a site/ip address that has > been live less than 12 hrs and came across: > > 63.219.136.226 - - [22/Feb/2002:09:29:18 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 285 > 63.219.136.226 - - [22/Feb/2002:09:29:18 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 283 > 63.219.136.226 - - [22/Feb/2002:09:29:19 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 293 > 63.219.136.226 - - [22/Feb/2002:09:29:19 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 293 > 63.219.136.226 - - [22/Feb/2002:09:29:19 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 > " 404 307 > > This looks like someone trying to get access to an NT system command, > and my guess is that they are up to no good. > Is this a fair assumption? I would guess that this is fairly > common and that these guys are scanning new machines all the time. > > Makes me want to be sure that I get a firewall up before I put > a machine on the net. > -- > Jim Freeze > "Give some people an attoparsec and > they'll take 16.093 Tera-angstroms" > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message