Log entries

cracko · - Joined: 12 Nov 2003 Posts: 1

Hi,
New to this so maybe this is a dumb question. Can anyone tell me what the following log entry is about? What are they/it trying to do?

68.63.65.63 - - [11/Nov/2003:21:32:39 +1133] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 427
68.63.65.63 - - [11/Nov/2003:21:32:46 +1133] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 427
68.63.65.63 - - [11/Nov/2003:21:32:51 +1133] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 427
68.63.65.63 - - [11/Nov/2003:21:32:52 +1133] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 427

Thanks :?

topniz · - Joined: 11 Nov 2003 Posts: 35 Location: Metz-France

68.63.65.63 - - [11/Nov/2003:21:32:39 +1133] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 427

As you figure it, the lines logs requests sent by your browser to the Abyss server:
* the first four dotted numbers are your client IP adress
* Then the date of the request and the time
* The post method (in the examples you sent, it is GET method and it could be POST, HEAD, TRACE or other...)
* The url typed on the browser's adress bar to formulate the request
* The response code issued by the server (if it is >400 it is an error)

try to visit www.w3c.org to view the different HTTP error codes and request methods. :wink:
_________________
ToPniz
"Don't ask what the community could do for you but ask what you could do for the community"

Anonymoose · - Joined: 09 Sep 2003 Posts: 2192

I don't think that's what they were asking...

The logs show the box was scanned either by a machine running Apache/IIS and infected by a worm, or manually by someone hoping to find a vulnerable machine to crack and use as a bouncing off point for other attacks.

Since root.exe exe is part of an IIS worm, you have no need to worry. The cmd.exe is the command prompt in NT / 2K / XP - it's an attempt to gain remote system access to your machine. Again, an IIS hack, and nothing to worry about as it stands. The 404 part means "File Not Found" was returned to them - they got no access to the system. Sorry to patronise if that part was too obvious.

Karasu Kami · - Joined: 22 Sep 2003 Posts: 712 Location: Colorado

Good job anony.

We use to get thousands of these kind of "log" posts on our forum, it was simply annoying. Now we have someone to take care of it. Thanks ^^;
_________________
Thank you all. Aprelium most importantly.
*Some may not be complete*
http://paeon-hosting.com
http://quartermoon.info
http://loc.paeon-hosting.com
http://genjipoetry.paeon-hosting.com

aprelium · - Joined: 22 Mar 2002 Posts: 6800

cracko,

This log shows an attack that targets Microsoft IIS web servers. Abyss is not vulnerable to the same flaws so you don't have to worry. Please read http://www.aprelium.com/forum/viewtopic.php?t=807 for a similar topic.
_________________
Support Team
Aprelium - http://www.aprelium.com