[ale] Abuse
Jason Day
jasonday at worldnet.att.net
Tue May 13 22:04:44 EDT 2003
On Tue, May 13, 2003 at 10:45:50AM -0400, Synban Administrator wrote:
> This guy has been running this script (or whatever he is running) for a
> few months now. It is an everyday occurance and he is starting to get on
> my nerves. I can do a reverse lookup on his IP and report him to his
> ISP, but I don't know if he is worth it. Here are two lines from my log:
> 24.98.237.56 - - [13/May/2003:10:35:25 -0400] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
> 24.98.237.56 - - [13/May/2003:10:35:24 -0400] "GET
> /scripts/root.exe?/c+dir HTTP/1.0" 404 283
> 24.98.237.56 - - [13/May/2003:10:35:24 -0400] "GET
> /MSADC/root.exe?/c+dir HTTP/1.0" 404 281
> 24.98.237.56 - - [13/May/2003:10:35:24 -0400] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291
His system is infected with one of the code red worm variants. The worm
is trying to spread itself by connecting to random http servers and
probing for weaknesses.
I get tons of these in my own logs. Eventually, I got fed up with it,
so I wrote a quick perl script to scan my apache logs for entries like
these and add a firewall rule that drops any packets from the offending
IPs.
Jason
--
Jason Day jasonday at
http://jasonday.home.att.net worldnet dot att dot net
"Of course I'm paranoid, everyone is trying to kill me."
-- Weyoun-6, Star Trek: Deep Space 9
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale
More information about the Ale
mailing list