Hacking attempt?

**Glaanieboy** · October 24th, 2003

I just checked my Apache2 logs and foudn this:

Code:

202.9.*.* - - [24/Oct/2003:21:39:46 +0200] "GET /scripts/nsiislog.dll" 404 306

(part of the IP has been removed for privacy issues)

I traced the IP back to a provider somewhere in India, since I don't know anyone in India and seeing that he/she is trying to access a IIS(?) log script(?), should I block the IP? Or is this normal?

**SPeedY_B** · October 24th, 2003

probably a crawler/robot. As it says, they received a 404 anyway(?), so it shouldn't really matter.

Probably only really worth blocking the IP if it's a repeated event.

**j79zlr** · October 24th, 2003

Don't worry, I get these in my 404 logs all the time:

/MSADC/root.exe?/c+dir

/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir

etc, that is the NIMDA or Code Red trojan, but I'm on FreeBSD

so good luck infecting me.

**SPeedY_B** · October 24th, 2003

*tries really hard* >_<

**j79zlr** · October 24th, 2003

**X-Istence** · October 25th, 2003

Thats just nimda/code red.

I get about 5,000 of those request a day.

**Glaanieboy** · October 25th, 2003

But it only affects IIS on a Windows machine, right?

**j79zlr** · October 25th, 2003

yep

**SPeedY_B** · October 25th, 2003

Correct

[edit] Beaten to it

October 28th, 2003

Well the most hack attempts I get are from the middle east or asia.

On the other hand I get a few via europe with the user having an asian or middle east server.

Probably better off just blocking their addie for the time being.

October 28th, 2003

most of the attempts i get are from brazil. they got a real problem with hackers over there.
then i get the guys who try to hide their identity by using some a different IP. its really annoying.

**Friend of Bill** · October 28th, 2003

I get em' from several parts of Asia and Brazil mainly, but none have been successful in penetrating my made-in-america defenses.

**Enyo** · October 28th, 2003

Just some general comments to go out in no particular order:

1) Code Red or Nmida probes (or any worm activity for that matter) are not hacking attempts.

2) You can not be sure of the location of an "attacker" and it not important where they are anyway.

3) Chill out and be happy your protected

Blacklist repetitive IPs that cause you grief.

October 28th, 2003

I wonder if they could just send us the honey's from brazil and let the guys go nuke each other with their trojans and leave the chicks to us red blooded sport minded guys

October 24th, 2003	Top \| #1
Glaanieboy OSNN Veteran Addict Joined: March 2002 Location: The Netherlands Posts: 2,626 Reputation: 270 Power: 150	Hacking attempt? I just checked my Apache2 logs and foudn this: Code: 202.9.. - - [24/Oct/2003:21:39:46 +0200] "GET /scripts/nsiislog.dll" 404 306 (part of the IP has been removed for privacy issues) I traced the IP back to a provider somewhere in India, since I don't know anyone in India and seeing that he/she is trying to access a IIS(?) log script(?), should I block the IP? Or is this normal?

October 24th, 2003	Top \| #2
SPeedY_B I may actually be insane. Joined: March 2002 Location: Midlands, England Posts: 15,800 Reputation: 2877 Power: 307	probably a crawler/robot. As it says, they received a 404 anyway(?), so it shouldn't really matter. Probably only really worth blocking the IP if it's a repeated event. 1. SPeedYB.co.uk 2. CamPortal.co.uk 3. MacIRC.co.uk

October 24th, 2003	Top \| #3
j79zlr Glaanies script monkey Joined: February 2003 Location: Chicago Posts: 2,725 Reputation: 1520 Power: 152	Don't worry, I get these in my 404 logs all the time: /MSADC/root.exe?/c+dir /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir etc, that is the NIMDA or Code Red trojan, but I'm on FreeBSD so good luck infecting me. http://www.j79zlr.com

October 24th, 2003	Top \| #4
SPeedY_B I may actually be insane. Joined: March 2002 Location: Midlands, England Posts: 15,800 Reputation: 2877 Power: 307	tries really hard >_< 1. SPeedYB.co.uk 2. CamPortal.co.uk 3. MacIRC.co.uk

October 24th, 2003	Top \| #5
j79zlr Glaanies script monkey Joined: February 2003 Location: Chicago Posts: 2,725 Reputation: 1520 Power: 152	http://www.j79zlr.com

Latest News Posts

Latest Forum Posts

Latest Member Blogs

October 25th, 2003	Top \| #6
X-Istence * Joined: December 2001 Location: USA Posts: 6,490 Reputation: 2808 Power: 217	Thats just nimda/code red. I get about 5,000 of those request a day. My blog!

October 25th, 2003	Top \| #7
Glaanieboy OSNN Veteran Addict Joined: March 2002 Location: The Netherlands Posts: 2,626 Reputation: 270 Power: 150	But it only affects IIS on a Windows machine, right?

October 25th, 2003	Top \| #8
j79zlr Glaanies script monkey Joined: February 2003 Location: Chicago Posts: 2,725 Reputation: 1520 Power: 152	yep http://www.j79zlr.com

October 25th, 2003	Top \| #9
SPeedY_B I may actually be insane. Joined: March 2002 Location: Midlands, England Posts: 15,800 Reputation: 2877 Power: 307	Correct [edit] Beaten to it 1. SPeedYB.co.uk 2. CamPortal.co.uk 3. MacIRC.co.uk

October 28th, 2003	Top \| #10
Leevoy Unregistered Posts: n/a	Well the most hack attempts I get are from the middle east or asia. On the other hand I get a few via europe with the user having an asian or middle east server. Probably better off just blocking their addie for the time being.

October 28th, 2003	Top \| #11
Bronx Bomber Unregistered Posts: n/a	most of the attempts i get are from brazil. they got a real problem with hackers over there. then i get the guys who try to hide their identity by using some a different IP. its really annoying.

October 28th, 2003	Top \| #12
Friend of Bill What, me worry? Joined: April 2002 Posts: 1,572 Reputation: 20 Power: 136	I get em' from several parts of Asia and Brazil mainly, but none have been successful in penetrating my made-in-america defenses.

October 28th, 2003	Top \| #13
Enyo OSNN Veteran Addict Joined: February 2003 Posts: 1,338 Reputation: 330 Power: 126	Just some general comments to go out in no particular order: 1) Code Red or Nmida probes (or any worm activity for that matter) are not hacking attempts. 2) You can not be sure of the location of an "attacker" and it not important where they are anyway. 3) Chill out and be happy your protected Blacklist repetitive IPs that cause you grief.

October 28th, 2003	Top \| #14
Leevoy Unregistered Posts: n/a	I wonder if they could just send us the honey's from brazil and let the guys go nuke each other with their trojans and leave the chicks to us red blooded sport minded guys

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
DoS Attempt on my E-mail	kcnychief	Windows Desktop Systems	64	March 12th, 2007 1:08am
Another bad phishing attempt	vivid_vibe	Green Room	3	March 12th, 2005 4:38am
Possible Browser Hijack attempt	jw50	Windows Desktop Systems	8	February 17th, 2005 9:52am
My Mix (1st Attempt)	Teddy	Green Room	29	June 5th, 2004 2:43pm
Help! Screwed up partitioning attempt	Bob Sinclar	Windows Desktop Systems	4	January 29th, 2002 6:07am