Automated attacks on this site

This page contains some of what I find in my access_log. Maybe someone will find it usefull.

You say you're Apache, but maybe you're IIS?

Queries designed to get into an MS IIS server. Bound to fail, because I'm not stupid enough to run that POS.

This log from when I hosted it on Win98 (I know, I know). Checking if maybe I configured webroot to be c:\. Or something like that, as I said, I try to avoid IIS as much as possible:

[Mon Mar 04 21:02:50 2002] [error] [client 213.1.157.6] File does not exist: d:/usr/hans/www/scripts/root.exe
[Mon Mar 04 21:02:51 2002] [error] [client 213.1.157.6] File does not exist: d:/usr/hans/www/msadc/root.exe
[Mon Mar 04 21:02:53 2002] [error] [client 213.1.157.6] File does not exist: d:/usr/hans/www/c/winnt/system32/cmd.exe
[Mon Mar 04 21:02:57 2002] [error] [client 213.1.157.6] File does not exist: d:/usr/hans/www/d/winnt/system32/cmd.exe
[Mon Mar 04 21:03:01 2002] [error] [client 213.1.157.6] File does not exist: d:/usr/hans/www/scripts/..%5c/winnt/system32/cmd.exe
[Mon Mar 04 21:03:03 2002] [error] [client 213.1.157.6] File does not exist: d:/usr/hans/www/_vti_bin/..%5c/..%5c/..%5c/winnt/system32/cmd.exe
[Mon Mar 04 21:03:11 2002] [error] [client 213.1.157.6] File does not exist: d:/usr/hans/www/_mem_bin/..%5c/..%5c/..%5c/winnt/system32/cmd.exe
[Mon Mar 04 21:03:16 2002] [error] [client 213.1.157.6] File does not exist: d:/usr/hans/www/msadc/..%5c/..%5c/..%5c/../../../winnt/system32/cmd.exe
[Mon Mar 04 21:03:24 2002] [error] [client 213.1.157.6] File does not exist: d:/usr/hans/www/scripts/../winnt/system32/cmd.exe
[Mon Mar 04 21:03:32 2002] [error] [client 213.1.157.6] File does not exist: d:/usr/hans/www/scripts/../winnt/system32/cmd.exxe
[Mon Mar 04 21:03:36 2002] [error] [client 213.1.157.6] File does not exist: d:/usr/hans/www/scripts/../winnt/system32/cmd.exe
[Mon Mar 04 22:51:24 2002] [error] [client 213.190.50.33] File does not exist: d:/usr/hans/www/scripts/root.exe

This is some kind of attack on webDAV:

213.200.183.83 - - [16/Aug/2004:21:00:00 -0100] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1
...   \x02\xb1 are repeated a few thousand times
...   \x90     is repeated a few thousand times
...   \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 414 350 "-" "-"

Maybe I've implemented webmail insecurely?

Notice how the attacks come from 10 wildly different IP addresses.. within 43 seconds. Can you say 'network of compromised PC's'?

65.103.182.5 - - [15/Aug/2004:18:22:44 -0100] "POST /cgi-bin/contact.cgi HTTP/1.1" 404 1093 "http://neerv106.speed.planet.nl/" "-"
153.110.132.10 - - [15/Aug/2004:18:22:46 -0100] "POST /cgi-bin/mailform.pl HTTP/1.0" 404 1093 "http://neerv106.speed.planet.nl/" "-"
80.206.246.195 - - [15/Aug/2004:18:22:47 -0100] "POST /cgi-bin/formmail.cgi HTTP/1.1" 404 1093 "http://neerv106.speed.planet.nl/" "-"
82.135.33.100 - - [15/Aug/2004:18:22:49 -0100] "POST /cgi-bin/FormMail.pl HTTP/1.0" 404 1093 "http://neerv106.speed.planet.nl/" "-"
200.35.83.27 - - [15/Aug/2004:18:22:52 -0100] "POST /mail.cgi HTTP/1.0" 404 1093 "http://neerv106.speed.planet.nl/" "-"
80.16.106.83 - - [15/Aug/2004:18:23:05 -0100] "POST /cgi-bin/form.cgi HTTP/1.0" 404 1093 "http://neerv106.speed.planet.nl/" "-"
212.31.54.169 - - [15/Aug/2004:18:23:21 -0100] "POST /cgi/formmail HTTP/1.0" 404 1093 "http://neerv106.speed.planet.nl/" "-"
65.103.182.5 - - [15/Aug/2004:18:23:22 -0100] "POST /formmail.pl HTTP/1.1" 404 1093 "http://neerv106.speed.planet.nl/" "-"
213.9.220.254 - - [15/Aug/2004:18:23:23 -0100] "POST /cgi-bin/feedback.cgi HTTP/1.0" 404 1093 "http://neerv106.speed.planet.nl/" "-"
200.48.218.178 - - [15/Aug/2004:18:23:27 -0100] "POST /contact.cgi HTTP/1.0" 404 1093 "http://neerv106.speed.planet.nl/" "-"
 ...
218.45.229.101 - - [18/Aug/2004:12:07:28 -0100] "POST /cgi-bin/formmail.pl HTTP/1.0" 404 1093 "http://neerv106.speed.planet.nl/" "-"
66.99.56.2 - - [18/Aug/2004:12:07:30 -0100] "POST /cgi-bin/contact.cgi HTTP/1.0" 404 1093 "http://neerv106.speed.planet.nl/" "-"
82.135.33.100 - - [18/Aug/2004:12:07:40 -0100] "POST /cgi-bin/mailform.pl HTTP/1.0" 404 1093 "http://neerv106.speed.planet.nl/" "-"

This page would have been
Valid HTML 4.01!
if it weren't for the examples..


@Hans © Copyright 2003-2004 Hans Neervoort