View previous topic :: View next topic |
Author |
Message |
cracko -
Joined: 12 Nov 2003 Posts: 1
|
Posted: Wed Nov 12, 2003 6:00 am Post subject: Log entries |
|
|
Hi,
New to this so maybe this is a dumb question. Can anyone tell me what the following log entry is about? What are they/it trying to do?
68.63.65.63 - - [11/Nov/2003:21:32:39 +1133] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 427
68.63.65.63 - - [11/Nov/2003:21:32:46 +1133] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 427
68.63.65.63 - - [11/Nov/2003:21:32:51 +1133] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 427
68.63.65.63 - - [11/Nov/2003:21:32:52 +1133] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 427
Thanks :? |
|
Back to top |
|
|
topniz -
Joined: 11 Nov 2003 Posts: 35 Location: Metz-France
|
Posted: Wed Nov 12, 2003 1:28 pm Post subject: |
|
|
68.63.65.63 - - [11/Nov/2003:21:32:39 +1133] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 427
As you figure it, the lines logs requests sent by your browser to the Abyss server:
* the first four dotted numbers are your client IP adress
* Then the date of the request and the time
* The post method (in the examples you sent, it is GET method and it could be POST, HEAD, TRACE or other...)
* The url typed on the browser's adress bar to formulate the request
* The response code issued by the server (if it is >400 it is an error)
try to visit www.w3c.org to view the different HTTP error codes and request methods. :wink: _________________ ToPniz
"Don't ask what the community could do for you but ask what you could do for the community" |
|
Back to top |
|
|
Anonymoose -
Joined: 09 Sep 2003 Posts: 2192
|
Posted: Wed Nov 12, 2003 1:55 pm Post subject: |
|
|
I don't think that's what they were asking...
The logs show the box was scanned either by a machine running Apache/IIS and infected by a worm, or manually by someone hoping to find a vulnerable machine to crack and use as a bouncing off point for other attacks.
Since root.exe exe is part of an IIS worm, you have no need to worry. The cmd.exe is the command prompt in NT / 2K / XP - it's an attempt to gain remote system access to your machine. Again, an IIS hack, and nothing to worry about as it stands. The 404 part means "File Not Found" was returned to them - they got no access to the system. Sorry to patronise if that part was too obvious. |
|
Back to top |
|
|
Karasu Kami -
Joined: 22 Sep 2003 Posts: 712 Location: Colorado
|
|
Back to top |
|
|
aprelium -
Joined: 22 Mar 2002 Posts: 6800
|
|
Back to top |
|
|
|