* [Fwd: Re: Blocking hackers]
@ 2002-06-21 6:33 Joseph Jackson
0 siblings, 0 replies; only message in thread
From: Joseph Jackson @ 2002-06-21 6:33 UTC (permalink / raw)
To: linux-newbie
Phillp Morgan wrote:
> Hi,
>
> It looks like someone is trying to break into my system. This is out of my
> apache error log...
>
>
>>61.243.140.78 - - [21/Jun/2002:13:58:29 +1000] "GET /MSADC/root.exe?/c+dir
>>
> HTTP/1.0" 404 -
>
>>61.243.140.78 - - [21/Jun/2002:13:58:30 +1000] "GET
>>
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
>
>>61.243.140.78 - - [21/Jun/2002:13:58:31 +1000] "GET
>>
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
>
>>61.243.140.78 - - [21/Jun/2002:13:58:32 +1000] "GET
>>
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
>
>>61.243.140.78 - - [21/Jun/2002:13:58:33 +1000] "GET
>>
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+di
> r HTTP/1.0" 404 -
>
>>61.243.140.78 - - [21/Jun/2002:13:58:34 +1000] "GET
>>
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+di
> r HTTP/1.0" 404 -
>
>>61.243.140.78 - - [21/Jun/2002:13:58:36 +1000] "GET
>>
> /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../
> winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
>
>>61.243.140.78 - - [21/Jun/2002:13:58:29 +1000] "GET /MSADC/root.exe?/c+dir
>>
> HTTP/1.0" 404 -
>
>>61.243.140.78 - - [21/Jun/2002:13:58:30 +1000] "GET
>>
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
>
>>61.243.140.78 - - [21/Jun/2002:13:58:31 +1000] "GET
>>
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
>
>>61.243.140.78 - - [21/Jun/2002:13:58:32 +1000] "GET
>>
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
>
>>61.243.140.78 - - [21/Jun/2002:13:58:33 +1000] "GET
>>
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 -
This is the pattern of the CodeRed virus that was going around the net a few
months ago. You are safe from it of course since it is targeted at windows
machines running unpatched versions of IIS.
>
> Is there any way I can block this nasty person?
>
> Who should I report this to?
>
As to who you should report this to I did a lookup on the ip address and this is
the data
Search the APNIC Whois database
Search results for '61.243.140.78'
inetnum 61.240.0.0 - 61.243.255.255
netname UNICOM
descr China United Telecommunications Corporation
descr Beijing Railway Station East Avenue
country CN
admin-c RX9-AP, inverse
tech-c RX9-AP, inverse
mnt-by MAINT-CNNIC-AP, inverse
mnt-lower MAINT-CN-CNNIC-UNICOM, inverse
changed hostmaster@apnic.net 20010817
changed ipas@cnnic.net.cn 20010828
source APNIC
Since it seems to come from a user in China I doubt there is anything at all you
could do.
Even tring to get ahold of the system admins in China is very very hard. I
wouldn't worry about it at all it looks like a random scan of your domain and
from a client that is set up to scan whole ranges of addresses no worries.
Joseph Jackson
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2002-06-21 6:33 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-06-21 6:33 [Fwd: Re: Blocking hackers] Joseph Jackson
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox