From owner-freebsd-questions  Fri Feb 22  7:26:48 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from freebsdportal.com (freebsdportal.com [63.106.140.203])
	by hub.freebsd.org (Postfix) with ESMTP id 3B2E837B404
	for <freebsd-questions@freebsd.org>; Fri, 22 Feb 2002 07:26:46 -0800 (PST)
Received: (from jfreeze@localhost)
	by freebsdportal.com (8.11.6/8.11.6) id g1MFQ2Y14062
	for freebsd-questions@freebsd.org; Fri, 22 Feb 2002 10:26:02 -0500 (EST)
	(envelope-from jfreeze)
Date: Fri, 22 Feb 2002 10:26:02 -0500
From: Jim Freeze <jfreeze@freebsdportal.com>
To: freebsd-questions@freebsd.org
Subject: Script Kiddies Trying to Hack Me?
Message-ID: <20020222102602.A14033@freebsdportal.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Hi:

I was just browsing my log files on a site/ip address that has
been live less than 12 hrs and came across:

63.219.136.226 - - [22/Feb/2002:09:29:18 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 285  
63.219.136.226 - - [22/Feb/2002:09:29:18 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 283  
63.219.136.226 - - [22/Feb/2002:09:29:19 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 293
63.219.136.226 - - [22/Feb/2002:09:29:19 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 293
63.219.136.226 - - [22/Feb/2002:09:29:19 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
" 404 307

This looks like someone trying to get access to an NT system command,
and my guess is that they are up to no good.
Is this a fair assumption? I would guess that this is fairly
common and that these guys are scanning new machines all the time.

Makes me want to be sure that I get a firewall up before I put
a machine on the net.
-- 
Jim Freeze
"Give some people an attoparsec and
they'll take 16.093 Tera-angstroms"

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message