i didnt read your whole post, but looking through the little i did, yes that looks like a scanner, it looks like they were actually focused on one os, no you probably dont have anything much to worry about, everyone i saw was a 404 error, if they got in, they prolly would've cleaned the logs, keep an eye out for anything strange, in case it wasnt just a random scan, check to make sure none of those files exist- but overall your probably safe and yes that was a scanner- look @ the time stamps, within seconds, this person left a huge footprint. you probably have nothing to worry about, just go check and make sure you have no known vulnerabilities, and make sure none of those file exist, prolly even want to look at wherever people with ms products look at for security bulletins and see if theres anything new. but this is just imho // jnf Quoting "Hill, James" <jhillat_private>: > I have been getting this on the two web servers I run internally > (Apache > Using Jakarta). After a long weekend I came in and started reading my > logs, > and noticed this on both the web servers almost identical information > on > them. My question is this a tool (script) doing this and is it > something > that is doing mass scans? > > JH > > --->LOG > 2001-09-03 11:11:07 - Ctx( ): 404 R( + /C:/temp/\../ + null) null > 2001-09-03 11:11:07 - Ctx( ): 404 R( + /usr/bin/FlagShip_c + null) > null > 2001-09-03 11:11:07 - Ctx( ): 404 R( + /cgi-bin/bb-rep.sh + null) > null > 2001-09-03 11:11:07 - Ctx( ): 404 R( + > /Sites/Knowledge/Membership/Inspiredtut > orial/ViewCode.asp + null) null > 2001-09-03 11:11:07 - Ctx( ): 404 R( + > /WCB/databases/instructors.passwd + > nul > l) null > 2001-09-03 11:11:07 - Ctx( ): 404 R( + /perl/files.pl + null) null > 2001-09-03 11:11:07 - Ctx( ): 404 R( + /usr/bin/FSserial + null) > null > 2001-09-03 11:11:07 - Ctx( ): 404 R( + > /Sites/Knowledge/Membership/Inspired/Vi > ewCode.asp + null) null > 2001-09-03 11:11:07 - Ctx( ): 404 R( + /_vti_pvt/users.pwd + null) > null > 2001-09-03 11:11:07 - Ctx( ): 404 R( + SnapStream + null) null > 2001-09-03 11:11:08 - Ctx( ): 404 R( + /usr/bin/FSserial + null) > null > 2001-09-03 11:11:08 - Ctx( ): 404 R( + /..?»../..?»../cmd1.exe + > null) > null > 2001-09-03 11:11:08 - Ctx( ): 404 R( + > /Sites/Knowledge/Membership/Inspired/Vi > ewCode.asp + null) null > 2001-09-03 11:11:08 - Ctx( ): 404 R( + /..\..\..\..\..\autoexec.bat > + > null) nu > ll > 2001-09-03 11:11:08 - Ctx( ): 404 R( + > /cgi-bin/replicator/webpage.cgi/ + > null > ) null > 2001-09-03 11:11:08 - Ctx( ): 404 R( + /scripts/tradecli.dll + null) > null > 2001-09-03 11:11:08 - Ctx( ): 404 R( + /cgi-bin/cart.pl + null) null > 2001-09-03 11:11:08 - Ctx( ): 404 R( + /cgi-bin/cartmanager.cgi + > null) > null > 2001-09-03 11:11:08 - Ctx( ): 404 R( + > /cfdocs/exampleapp/publish/admin/addcon > tent.cfm + null) null > 2001-09-03 11:11:08 - Ctx( ): 404 R( + /cgi-bin/websync.exe + null) > null > 2001-09-03 11:11:08 - Ctx( ): 404 R( + > /cgi-bin/ezshopper3/loadpage.cgi + > null > ) null > 2001-09-03 11:11:08 - Ctx( ): 404 R( + /cgi-bin/cvsweb.cgi + null) > null > 2001-09-03 11:11:08 - Ctx( ): 404 R( + > /interscan/cgi-bin/HttpSaveCSP.dll > + nu > ll) null > 2001-09-03 11:11:08 - Ctx( ): 404 R( + > /cgi-bin/..%5c..%5c/..%5c..%5c/winnt/sy > stem32/cmd.exe + null) null > 2001-09-03 11:11:08 - Ctx( ): 404 R( + /cgi-bin/cvsweb.cgi + null) > null > 2001-09-03 11:11:08 - Ctx( ): 404 R( + /cgi-bin/bb-rep.sh + null) > null > 2001-09-03 11:11:08 - Ctx( ): 404 R( + /..?»../..?»../cmd.exe + null) > null > 2001-09-03 11:11:09 - Ctx( ): 404 R( + > /interscan/cgi-bin/HttpSaveCSP.dll > + nu > ll) null > 2001-09-03 11:11:09 - Ctx( ): 404 R( + /4DBin/_/C:/winnt/repair/sam._ > + > null) > null > 2001-09-03 11:11:09 - Ctx( ): 404 R( + > /cgi-bin/..%5c..%5c/..%5c..%5c/winnt/sy > stem32/cmd.exe + null) null > 2001-09-03 11:11:09 - Ctx( ): 404 R( + /..\..\..\..\..\autoexec.bat > + > null) nu > ll > 2001-09-03 11:11:09 - Ctx( ): 404 R( + /cgi-bin/bb-hostsvc.sh + null) > null > 2001-09-03 11:11:09 - Ctx( ): 404 R( + /..?»../..?»../cmd.exe + null) > null > 2001-09-03 11:11:09 - Ctx( ): 404 R( + > /iisadmpwd/..%5c..%5c/..%5c..%5c/winnt/ > system32/cmd.exe + null) null > 2001-09-03 11:11:09 - Ctx( ): 404 R( + /..\..\..\boot.ini + null) > null > 2001-09-03 11:11:09 - Ctx( ): 404 R( + /cgi-bin/bb-hostsvc.sh + null) > null > 2001-09-03 11:11:09 - Ctx( ): 404 R( + /iisadmpwd/sensepost.exe + > null) > null > 2001-09-03 11:11:09 - Ctx( ): 404 R( + /cgi-bin/webspirs.cgi + null) > null > 2001-09-03 11:11:09 - Ctx( ): 404 R( + /cgi-bin/a1stats/a1disp2.cgi > + > null) nu > ll > 2001-09-03 11:11:09 - Ctx( ): 404 R( + > /iisadmpwd/..%5c..%5c/..%5c..%5c/winnt/ > system32/cmd.exe + null) null > 2001-09-03 11:11:09 - Ctx( ): 404 R( + /..\..\..\boot.ini + null) > null > 2001-09-03 11:11:09 - Ctx( ): 404 R( + /cgi-bin/bb-histlog.sh + null) > null > 2001-09-03 11:11:09 - Ctx( ): 404 R( + /cgi-bin/webspirs.cgi + null) > null > 2001-09-03 11:11:09 - Ctx( ): 404 R( + /cgi-bin/a1stats/a1disp4.cgi > + > null) nu > ll > 2001-09-03 11:11:09 - Ctx( ): 404 R( + > /_vti_bin/..%5c..%5c/..%5c..%5c/winnt/s > ystem32/cmd.exe + null) null > 2001-09-03 11:11:09 - Ctx( ): 404 R( + /../../../boot.ini + null) > null > 2001-09-03 11:11:10 - Ctx( ): 404 R( + /cgi-bin/bb-histlog.sh + null) > null > 2001-09-03 11:11:10 - Ctx( ): 404 R( + /scripts/passwd.txt .pl + > null) > null > 2001-09-03 11:11:10 - Ctx( ): 404 R( + /cgi-bin/lister + null) null > 2001-09-03 11:11:10 - Ctx( ): 404 R( + /doc/packages/ + null) null > 2001-09-03 11:11:10 - Ctx( ): 404 R( + /cgi-bin/a1stats/a1disp4.cgi > + > null) nu > ll > 2001-09-03 11:11:10 - Ctx( ): 404 R( + /iisadmpwd/sensepost.exe + > null) > null > 2001-09-03 11:11:10 - Ctx( ): 404 R( + /cgi-bin/bb-hist.sh + null) > null > 2001-09-03 11:11:10 - Ctx( ): 404 R( + /cgi-bin/a1stats/a1disp3.cgi > + > null) nu > ll > 2001-09-03 11:11:10 - Ctx( ): 404 R( + /iisadmpwd/cmd1.exe + null) > null > 2001-09-03 11:11:10 - Ctx( ): 404 R( + /cgi-bin/bb-hist.sh + null) > null > 2001-09-03 11:11:11 - Ctx( ): 404 R( + > /_vti_bin/..%5c..%5c/..%5c..%5c/winnt/s > ystem32/cmd.exe + null) null > 2001-09-03 11:11:11 - Ctx( ): 404 R( + /../../../boot.ini + null) > null > 2001-09-03 11:11:11 - Ctx( ): 404 R( + /cgi-bin/a1stats/a1disp3.cgi > + > null) nu > ll > 2001-09-03 11:11:11 - Ctx( ): 404 R( + /iisadmpwd/cmd1.exe + null) > null > 2001-09-03 11:11:11 - Ctx( ): 404 R( + > /msadc/..%5c..%5c/..%5c..%5c/winnt/syst > em32/cmd.exe + null) null > 2001-09-03 11:11:12 - ContextManager: SocketException reading request, > ignored - > java.net.SocketException: Connection reset by peer: JVM_recv in > socket > input st > ream read > at java.net.SocketInputStream.socketRead(Native Method) > at java.net.SocketInputStream.read(SocketInputStream.java:86) > at > java.io.BufferedInputStream.fill(BufferedInputStream.java:186) > at > java.io.BufferedInputStream.read(BufferedInputStream.java:204) > at > org.apache.tomcat.service.http.HttpRequestAdapter.doRead(HttpRequestA > dapter.java:115) > at > org.apache.tomcat.core.BufferedServletInputStream.doRead(BufferedServ > letInputStream.java:106) > at > org.apache.tomcat.core.BufferedServletInputStream.read(BufferedServle > tInputStream.java:128) > at > javax.servlet.ServletInputStream.readLine(ServletInputStream.java:138 > ) > at > org.apache.tomcat.service.http.HttpRequestAdapter.readNextRequest(Htt > pRequestAdapter.java:129) > at > org.apache.tomcat.service.http.HttpConnectionHandler.processConnectio > n(HttpConnectionHandler.java:198) > at > org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoint.java: > 416) > at > org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPool.java > :501) > at java.lang.Thread.run(Thread.java:484) > > 2001-09-03 11:11:13 - Ctx( ): 404 R( + SnapStream + null) null > 2001-09-03 11:11:13 - Ctx( ): 404 R( + SnapStream + null) null > 2001-09-03 11:11:14 - Ctx( ): 404 R( + /includes/global.inc + null) > null > 2001-09-03 11:11:15 - Ctx( ): 404 R( + /global.asa .htr + null) null > 2001-09-03 11:11:15 - Ctx( ): 404 R( + /pollit/Poll_It_v2.0.cgi + > null) > null > 2001-09-03 11:11:15 - Ctx( ): 404 R( + /iissamples/issamples/fastq.idq > + > null) > null > 2001-09-03 11:11:16 - Ctx( ): 404 R( + /cfdocs/expeval/sendmail.cfm > + > null) nu > ll > 2001-09-03 11:11:16 - Ctx( ): 404 R( + /cgi-bin/wais + null) null > 2001-09-03 11:11:16 - Ctx( ): 404 R( + /cgi-bin/DCShop + null) null > 2001-09-03 11:11:16 - Ctx( ): 404 R( + SnapStream + null) null > 2001-09-03 11:11:16 - Ctx( ): 404 R( + /cgi-bin/websync.exe + null) > null > 2001-09-03 11:11:16 - Ctx( ): 404 R( + /officescan/cgi/jdkRqNotify.exe > + > null) > null > 2001-09-03 11:11:17 - Ctx( ): 404 R( + SnapStream + null) null > 2001-09-03 11:11:17 - Ctx( ): 404 R( + > /cgi-bin/pollit/Poll_It_SSI_v2.0.cgi + > null) null > 2001-09-03 11:11:17 - Ctx( ): 404 R( + /iissamples/issamples/fastq.idq > + > null) > null > 2001-09-03 11:11:17 - Ctx( ): 404 R( + > /cgi-bin/pollit/Poll_It_SSI_v2.0.cgi + > null) null > 2001-09-03 11:11:17 - Ctx( ): 404 R( + /iissamples/issamples/query.idq > + > null) > null > 2001-09-03 11:11:18 - Ctx( ): 404 R( + /iissamples/issamples/query.idq > + > null) > null > 2001-09-03 11:11:19 - Ctx( ): 404 R( + /cgi-bin/wais + null) null > 2001-09-03 11:11:19 - Ctx( ): 404 R( + /cgi-bin/DCShop + null) null > 2001-09-03 11:11:20 - Ctx( ): 404 R( + /iisadmpwd/cmd.exe + null) > null > 2001-09-03 11:11:20 - Ctx( ): 404 R( + /iisadmpwd/cmd.exe + null) > null > 2001-09-03 11:11:21 - Ctx( ): 404 R( + /samples/sensepost.exe + null) > null > 2001-09-03 11:11:21 - Ctx( ): 404 R( + /samples/sensepost.exe + null) > null > 2001-09-03 11:11:21 - Ctx( ): 404 R( + /samples/cmd1.exe + null) > null > 2001-09-03 11:11:21 - Ctx( ): 404 R( + /samples/cmd1.exe + null) > null > 2001-09-03 11:11:22 - Ctx( ): 404 R( + /cgi-bin/simplestmail.cgi + > null) > null > 2001-09-03 11:11:22 - Ctx( ): 404 R( + /samples/cmd.exe + null) null > 2001-09-03 11:11:22 - Ctx( ): 404 R( + /samples/cmd.exe + null) null > 2001-09-03 11:11:22 - Ctx( ): 404 R( + /cgi-bin/sensepost.exe + null) > null > 2001-09-03 11:11:23 - Ctx( ): 404 R( + /cgi-bin/sensepost.exe + null) > null > 2001-09-03 11:11:23 - Ctx( ): 404 R( + /cgi-bin/cmd1.exe + null) > null > 2001-09-03 11:11:23 - Ctx( ): 404 R( + /cgi-bin/cmd1.exe + null) > null > 2001-09-03 11:11:23 - Ctx( ): 404 R( + /cgi-bin/cmd.exe + null) null > 2001-09-03 11:11:24 - Ctx( ): 404 R( + /cgi-bin/cmd.exe + null) null > 2001-09-03 11:11:24 - Ctx( ): 404 R( + /vti_cnf/sensepost.exe + null) > null > 2001-09-03 11:11:24 - Ctx( ): 404 R( + /vti_cnf/sensepost.exe + null) > null > 2001-09-03 11:11:25 - Ctx( ): 404 R( + /vti_cnf/cmd1.exe + null) > null > 2001-09-03 11:11:27 - Ctx( ): 404 R( + /iisadmpwd/ + null) null > 2001-09-03 11:11:27 - Ctx( ): 404 R( + /cgi-bin/ustorekeeper.pl + > null) > null > 2001-09-03 11:11:27 - Ctx( ): 404 R( + > /msadc/..%5c..%5c/..%5c..%5c/winnt/syst > em32/cmd.exe + null) null > 2001-09-03 11:11:27 - Ctx( ): 404 R( + /.nsf/../winnt/win.ini + null) > null > 2001-09-03 11:11:27 - Ctx( ): 404 R( + > /iissamples/exair/howitworks/codebrws.a > sp + null) null > 2001-09-03 11:11:27 - Ctx( ): 404 R( + /usr/bin/xvcad/glib/ + null) > null > 2001-09-03 11:11:27 - Ctx( ): 404 R( + /cgi-bin/ustorekeeper.pl + > null) > null > 2001-09-03 11:11:27 - Ctx( ): 404 R( + > /scripts/..%5c..%5cwinnt/system32/cmd.e > xe + null) null > 2001-09-03 11:11:27 - Ctx( ): 404 R( + /usr/bin/xvcad/glib/ + null) > null > 2001-09-03 11:11:27 - Ctx( ): 404 R( + > /scripts/..%5c..%5cwinnt/system32/cmd.e > xe + null) null > 2001-09-03 11:11:27 - Ctx( ): 404 R( + /usr/bin/xvcad/var_rm + null) > null > 2001-09-03 11:11:28 - Ctx( ): 404 R( + /usr/bin/xvcad/var_rm + null) > null > 2001-09-03 11:11:28 - Ctx( ): 404 R( + /vti_cnf/cmd1.exe + null) > null > 2001-09-03 11:11:28 - Ctx( ): 404 R( + /usr/bin/xvcad/igesin + null) > null > 2001-09-03 11:11:28 - Ctx( ): 404 R( + /vti_cnf/cmd.exe + null) null > 2001-09-03 11:11:28 - Ctx( ): 404 R( + /usr/bin/xvcad/igesin + null) > null > 2001-09-03 11:11:29 - Ctx( ): 404 R( + /vti_cnf/cmd.exe + null) null > 2001-09-03 11:11:29 - Ctx( ): 404 R( + /usr/bin/xvcad/dxfin + null) > null > 2001-09-03 11:11:29 - Ctx( ): 404 R( + /vti_bin/sensepost.exe + null) > null > 2001-09-03 11:11:29 - Ctx( ): 404 R( + /usr/bin/xvcad/dxfin + null) > null > 2001-09-03 11:11:29 - Ctx( ): 404 R( + /vti_bin/sensepost.exe + null) > null > 2001-09-03 11:11:29 - Ctx( ): 404 R( + /vti_bin/cmd1.exe + null) > null > 2001-09-03 11:11:30 - Ctx( ): 404 R( + /vti_bin/cmd1.exe + null) > null > 2001-09-03 11:11:30 - Ctx( ): 404 R( + /vti_bin/cmd.exe + null) null > 2001-09-03 11:11:30 - Ctx( ): 404 R( + /vti_bin/cmd.exe + null) null > 2001-09-03 11:11:31 - Ctx( ): 404 R( + /msadc/sensepost.exe + null) > null > 2001-09-03 11:11:31 - Ctx( ): 404 R( + /msadc/sensepost.exe + null) > null > 2001-09-03 11:11:31 - Ctx( ): 404 R( + /msadc/cmd1.exe + null) null > 2001-09-03 11:11:32 - Ctx( ): 404 R( + /msadc/cmd1.exe + null) null > 2001-09-03 11:11:32 - Ctx( ): 404 R( + /msadc/cmd.exe + null) null > 2001-09-03 11:11:32 - Ctx( ): 404 R( + /msadc/cmd.exe + null) null > 2001-09-03 11:11:32 - Ctx( ): 404 R( + /scripts/sensepost.exe + null) > null > 2001-09-03 11:11:42 - Ctx( ): 404 R( + /scripts/sensepost.exe + null) > null > 2001-09-03 11:11:42 - Ctx( ): 404 R( + /scripts/cmd1.exe + null) > null > 2001-09-03 11:11:42 - Ctx( ): 404 R( + /scripts/cmd1.exe + null) > null > 2001-09-03 11:11:43 - Ctx( ): 404 R( + /scripts/cmd.exe + null) null > 2001-09-03 11:11:43 - Ctx( ): 404 R( + /scripts/cmd.exe + null) null > 2001-09-03 11:11:43 - Ctx( ): 404 R( + /sensepost.exe + null) null > 2001-09-03 11:11:44 - Ctx( ): 404 R( + /sensepost.exe + null) null > 2001-09-03 11:11:44 - Ctx( ): 404 R( + /cmd1.exe + null) null > 2001-09-03 11:11:44 - Ctx( ): 404 R( + /cmd1.exe + null) null > 2001-09-03 11:11:44 - Ctx( ): 404 R( + /cmd.exe + null) null > 2001-09-03 11:11:45 - Ctx( ): 404 R( + /cmd.exe + null) null > > End <-- > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > // jnf ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 04 2001 - 09:12:03 PDT