<snip>On Tuesday 09 December 2003 05:26, Lisa Durham wrote:
I am very new to Linux but was poking around in my newly setup Fedora Core 1 system today and came upon the lines below in the Apache Access Log when I used the "System Logs" icon in the System Tools Menu.
Is the IP at the beginning of each line the IP that requested the file that is shown at the end of the line? with the date and time in the center? If this isn't what's shown in this file, what is this format? What does this file tell me? Am I paranoid, or was someone trying to access my machine (but ignorantly assuming it was a Windows machine)?
quoted Apaches Access Log:
24.60.93.48 - - [07/Dec/2003:14:39:47 -0600] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 327 "-" "-" 24.60.93.48 - - [07/Dec/2003:14:39:47 -0600] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 325 "-" "-" 24.60.93.48 - - [07/Dec/2003:14:39:47 -0600] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 335 "-" "-" 24.60.93.48 - - [07/Dec/2003:14:39:48 -0600] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 335 "-" "-" 24.60.93.48 - - [07/Dec/2003:14:39:48 -0600] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349 "-" "-" 24.60.93.48 - - [07/Dec/2003:14:39:48 -0600] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 366 "-" "-"
24.199.161.83 - - [07/Dec/2003:17:59:03 -0600] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 349 "-" "-" 217.120.149.161 - - [07/Dec/2003:18:27:17 -0600] "GET /scripts/nsiislog.dll" 404 331 "-" "-"
----------------------------------------
Thanks, Lisa
This is normal. What you're seeing is Internet worm scans looking to break into vulnerable Windows systems.
Regards, Mike Klinke
Thanks, Mike.
Are there similar 'worm scans' for Linux boxes? What should I do to protect my machine from them if there are? (point me towards a good website or book explaining this if you can.)
Lisa
