yodaj007
asked on
security problem, fix?
I'm getting a lot of GET requests from one particular IP addy, but I'm not sure what he's trying to do. Here's some of the log entries:
68.83.207.195 - - [24/Feb/2003:13:46:57 -0600] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 284
68.83.207.195 - - [24/Feb/2003:13:46:58 -0600] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 282
68.83.207.195 - - [24/Feb/2003:13:46:59 -0600] "GET /c/winnt/system32/cmd.exe?
68.83.207.195 - - [24/Feb/2003:13:47:00 -0600] "GET /d/winnt/system32/cmd.exe?
68.83.207.195 - - [24/Feb/2003:13:47:00 -0600] "GET /scripts/..%255c../winnt/s
68.83.207.195 - - [24/Feb/2003:13:47:02 -0600] "GET /_vti_bin/..%255c../..%255
68.83.207.195 - - [24/Feb/2003:13:47:03 -0600] "GET /_mem_bin/..%255c../..%255
68.83.207.195 - - [24/Feb/2003:13:47:03 -0600] "GET /msadc/..%255c../..%255c..
68.83.207.195 - - [24/Feb/2003:13:47:04 -0600] "GET /scripts/..%c1%1c../winnt/
68.83.207.195 - - [24/Feb/2003:13:47:04 -0600] "GET /scripts/..%c0%2f../winnt/
68.83.207.195 - - [24/Feb/2003:13:47:05 -0600] "GET /scripts/..%c0%af../winnt/
68.83.207.195 - - [24/Feb/2003:13:47:05 -0600] "GET /scripts/..%c1%9c../winnt/
68.83.207.195 - - [24/Feb/2003:13:47:06 -0600] "GET /scripts/..%%35%63../winnt
68.83.207.195 - - [24/Feb/2003:13:47:07 -0600] "GET /scripts/..%%35c../winnt/s
68.83.207.195 - - [24/Feb/2003:13:47:08 -0600] "GET /scripts/..%25%35%63../win
68.83.207.195 - - [24/Feb/2003:13:47:09 -0600] "GET /scripts/..%252f../winnt/s
==========================
Please tell me what he's doing and what I can do to stop anything malicious. I'm running XP with the latest Apache.
Thanks,
(This questions worth a lot of points)
Jason
68.83.207.195 - - [24/Feb/2003:13:46:57 -0600] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 284
68.83.207.195 - - [24/Feb/2003:13:46:58 -0600] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 282
68.83.207.195 - - [24/Feb/2003:13:46:59 -0600] "GET /c/winnt/system32/cmd.exe?
68.83.207.195 - - [24/Feb/2003:13:47:00 -0600] "GET /d/winnt/system32/cmd.exe?
68.83.207.195 - - [24/Feb/2003:13:47:00 -0600] "GET /scripts/..%255c../winnt/s
68.83.207.195 - - [24/Feb/2003:13:47:02 -0600] "GET /_vti_bin/..%255c../..%255
68.83.207.195 - - [24/Feb/2003:13:47:03 -0600] "GET /_mem_bin/..%255c../..%255
68.83.207.195 - - [24/Feb/2003:13:47:03 -0600] "GET /msadc/..%255c../..%255c..
68.83.207.195 - - [24/Feb/2003:13:47:04 -0600] "GET /scripts/..%c1%1c../winnt/
68.83.207.195 - - [24/Feb/2003:13:47:04 -0600] "GET /scripts/..%c0%2f../winnt/
68.83.207.195 - - [24/Feb/2003:13:47:05 -0600] "GET /scripts/..%c0%af../winnt/
68.83.207.195 - - [24/Feb/2003:13:47:05 -0600] "GET /scripts/..%c1%9c../winnt/
68.83.207.195 - - [24/Feb/2003:13:47:06 -0600] "GET /scripts/..%%35%63../winnt
68.83.207.195 - - [24/Feb/2003:13:47:07 -0600] "GET /scripts/..%%35c../winnt/s
68.83.207.195 - - [24/Feb/2003:13:47:08 -0600] "GET /scripts/..%25%35%63../win
68.83.207.195 - - [24/Feb/2003:13:47:09 -0600] "GET /scripts/..%252f../winnt/s
==========================
Please tell me what he's doing and what I can do to stop anything malicious. I'm running XP with the latest Apache.
Thanks,
(This questions worth a lot of points)
Jason
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.