Page 1 of 1

Should I look into this further?

Posted: Thu Dec 30, 2004 11:34 pm
by genetix
I'm not much of an "expert" when it comes to apache log files but I just noticed this while browsing through them:

Code: Select all

їFri Dec 10 14:44:48 2004] їerror] їclient 24.99.59.199] File does not exist: c:/appserv/www/webdummy/www/scripts/root.exe
їFri Dec 10 14:44:49 2004] їerror] їclient 24.99.59.199] File does not exist: c:/appserv/www/webdummy/www/msadc/root.exe
їFri Dec 10 14:44:50 2004] їerror] їclient 24.99.59.199] File does not exist: c:/appserv/www/webdummy/www/c/winnt/system32/cmd.exe
їFri Dec 10 14:44:51 2004] їerror] їclient 24.99.59.199] File does not exist: c:/appserv/www/webdummy/www/d/winnt/system32/cmd.exe
їFri Dec 10 14:44:53 2004] їerror] їclient 24.99.59.199] File does not exist: c:/appserv/www/webdummy/www/scripts/..%5c/winnt/system32/cmd.exe
їFri Dec 10 14:44:53 2004] їerror] їclient 24.99.59.199] File does not exist: c:/appserv/www/webdummy/www/_vti_bin/..%5c/..%5c/..%5c/winnt/system32/cmd.exe
їFri Dec 10 14:44:55 2004] їerror] їclient 24.99.59.199] File does not exist: c:/appserv/www/webdummy/www/_mem_bin/..%5c/..%5c/..%5c/winnt/system32/cmd.exe
їFri Dec 10 14:44:56 2004] їerror] їclient 24.99.59.199] File does not exist: c:/appserv/www/webdummy/www/msadc/..%5c/..%5c/..%5c/..Á/..Á/..Á/winnt/system32/cmd.exe
їFri Dec 10 14:44:56 2004] їerror] їclient 24.99.59.199] File does not exist: c:/appserv/www/webdummy/www/scripts/..Á/winnt/system32/cmd.exe
їFri Dec 10 14:44:59 2004] їerror] їclient 24.99.59.199] File does not exist: c:/appserv/www/webdummy/www/scripts/..À¯/winnt/system32/cmd.exe
їFri Dec 10 14:45:00 2004] їerror] їclient 24.99.59.199] File does not exist: c:/appserv/www/webdummy/www/scripts/..Áœ/winnt/system32/cmd.exe
їFri Dec 10 14:45:03 2004] їerror] їclient 24.99.59.199] File does not exist: c:/appserv/www/webdummy/www/scripts/..%5c/winnt/system32/cmd.exe
їFri Dec 10 14:45:04 2004] їerror] їclient 24.99.59.199] File does not exist: c:/appserv/www/webdummy/www/scripts/..%2f/winnt/system32/cmd.exe
I'm assuming they were trying to send commands to my server. Something I should send over to their ISP?

I'm not sure if this is someone trying to get in or not thats why I'm asking. I dont want to be submitting false reports. I have looked up the guys IP and I know his location and what not. Hes not behind a proxy or anything so he most likely aint going anywhere.

Posted: Thu Dec 30, 2004 11:42 pm
by feyd
it's a bot scanning for vulnerable servers.. my server gets hit with hundreds of queries a day.. I've reported the logs to the network admins of my ISP, they haven't done anything that I know of.. but the ISP doesn't tell us much anyways.. so.. dunno.

Posted: Thu Dec 30, 2004 11:47 pm
by genetix
okay so its not something I really have to worry about then. I might make a small script sometime soon just to scan my logs like once a week for any rows with cmd.exe in them. When I have the time...