Web Hosting Forum | Lunarpages


*
Welcome, Guest. Please login or register.
Did you miss your activation email?


Login with username, password and session length
May 24, 2012, 09:17:55 AM

Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: HTTP GET question?  (Read 488 times)
bccondos
Newbie
*
Offline Offline

Posts: 2
« on: July 15, 2003, 07:20:16 AM »
Does anyone have any idea why this HTTP GET message might be sent to a site?

"GET /?0.329159126.75307 HTTP/1.0" 200 34918 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"

It is the "?0.329159126.75307" that I find puzzling.

Out of control bot?
Hack attempt??
Or???

TIA
Logged
TWebMan
Quantum Encyclopedia Writer
*****
Offline Offline

Posts: 3112



WWW
« Reply #1 on: July 17, 2003, 03:31:24 AM »
Wouldn't be to terribly concerned, unless you start seeing a lot of it.

Did you get/check an originating ip or host?

Was that the entire line?  That first part was the whole request?
Logged
"Computers cause people to make more mistakes than any other invention in history, with the possible exception of handguns and tequila."  - Unknown
"Liberty of any kind is seldom lost all at once." - D. Hume
Every day is an Ode to Joy
The planet will be fine... and so will your site
Ed
Berserker Poster
*****
Offline Offline

Posts: 5208



WWW
« Reply #2 on: July 17, 2003, 08:46:25 AM »
looks as if someone tried to post the data: "0.329159126.75307" using the GET method, to whatever your default file is eg:

index.php or index.html.

same as: http://www.domain.com/index.php?0.329159126.75307

- Ed
Logged
Kata
--
Ed's Blog
Pain Free Learning - Internet marketing lessons from others mistakes
Joke A Whenever
Ed Loveless Dot Com
Got A Blog? List it on The Blog Resource
Custom PHP Programming and design

Lunarpages Web Hosting

Lunarpages Forums

Lunarpages Affiliate Program
bccondos
Newbie
*
Offline Offline

Posts: 2
« Reply #3 on: July 17, 2003, 09:08:44 PM »
Here is the whole message -- I had already blocked the  IP address (and I"ve blanked it here).

xxx.xxx.xx.xx - - [12/Jul/2003:22:42:19 -0700] "GET /?0.971266343.43429 HTTP/1.0" 403 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"

I have index.html page that is very basic. The message was repeating every 5 minutes or so. The digits after the GET /? would change message to message.

Thanks to Kata and TWebman for your consideration.
Logged
TWebMan
Quantum Encyclopedia Writer
*****
Offline Offline

Posts: 3112



WWW
« Reply #4 on: July 17, 2003, 09:16:59 PM »
Here's my local IIS server log for part of 6-28.  Whaddya think?  Smile
Traced the ip and sent some emails out.  Got a response from krnic...looks like they are going to look into it.

02:06:37 213.189.83.102 HEAD /MSADC/root.exe 404
02:06:37 213.189.83.102 HEAD /PBServer/..%5c..%5c..%5cwinnt/system32/cmd.exe 404
02:06:42 213.189.83.102 HEAD /Rpc/..%5c..%5c..%5cwinnt/system32/cmd.exe 404
02:06:42 213.189.83.102 HEAD /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404
02:06:44 213.189.83.102 HEAD /_vti_bin/..%5c..%5c..%5c..%5c..%5c../winnt/system32/cmd.exe 404
02:06:45 213.189.83.102 HEAD /winnt/system32/cmd.exe 404
02:06:46 213.189.83.102 HEAD /_vti_cnf/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 404
02:06:47 213.189.83.102 HEAD /winnt/system32/cmd.exe 404
02:06:47 213.189.83.102 HEAD /adsamples/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 404
02:06:48 213.189.83.102 HEAD /c/winnt/system32/cmd.exe 404
02:06:49 213.189.83.102 HEAD /winnt/system32/cmd.exe 404
02:06:50 213.189.83.102 HEAD /d/winnt/system32/cmd.exe 404
02:06:50 213.189.83.102 HEAD /iisadmpwd/..%2f..%2f..%2f..%2f..%2f..%2fwinnt/system32/cmd.exe 404
02:06:51 213.189.83.102 HEAD /winnt/system32/cmd.exe 404
02:06:51 213.189.83.102 HEAD /msaDC/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 404
02:06:54 213.189.83.102 HEAD /msadc/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404
02:06:56 213.189.83.102 HEAD /msadc/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 404
02:06:57 213.189.83.102 HEAD /msadc/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404
02:06:57 213.189.83.102 HEAD /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe 404
02:06:58 213.189.83.102 HEAD /winnt/system32/cmd.exe 404
02:06:58 213.189.83.102 HEAD /msadc/..o../winnt/system32/cmd.exe 404
02:06:59 213.189.83.102 HEAD /msadc/..Á%pc../..Á%pc../..Á%pc../winnt/system32/cmd.exe 404
02:06:59 213.189.83.102 HEAD /msadc/..Á%pc../winnt/system32/cmd.exe 404
02:07:00 213.189.83.102 HEAD /winnt/system32/cmd.exe 404
02:07:02 213.189.83.102 HEAD /msadc/..ø€€€¯../..ø€€€¯../..ø€€€¯../winnt/system32/cmd.exe 404
02:07:02 213.189.83.102 HEAD /msadc/..ø€€€¯../winnt/system32/cmd.exe 404
02:07:03 213.189.83.102 HEAD /samples/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 404
02:07:04 213.189.83.102 HEAD /scripts/.%2e/.%2e/winnt/system32/cmd.exe 500
02:07:06 213.189.83.102 HEAD /scripts/..%5c../winnt/system32/cmd.exe 500
02:07:07 213.189.83.102 HEAD /scripts/..%2f..%2f..%2f..%2fwinnt/system32/cmd.exe 500
02:07:08 213.189.83.102 HEAD /scripts/..%2f../winnt/system32/cmd.exe 500
02:07:09 213.189.83.102 HEAD /scripts/..%5c..%5cwinnt/system32/cmd.exe 500
02:07:09 213.189.83.102 HEAD /scripts/..%5c../winnt/system32/cmd.exe 500
Logged
"Computers cause people to make more mistakes than any other invention in history, with the possible exception of handguns and tequila."  - Unknown
"Liberty of any kind is seldom lost all at once." - D. Hume
Every day is an Ode to Joy
The planet will be fine... and so will your site
stephan
Guest
« Reply #5 on: July 18, 2003, 12:09:56 AM »
Someone is probably running a security testing program on you.

If you look at the times of each request, it's unlikely that they tried all the exploits by hand.

Just make sure you are up to date!
Logged
TWebMan
Quantum Encyclopedia Writer
*****
Offline Offline

Posts: 3112



WWW
« Reply #6 on: July 18, 2003, 12:14:39 AM »
Yeah, they use programs.  Ever seen Winhack?  I think that's what it's called. heheh it looks for open ports...scans dunno how many IP's per minutes, and saves IP's with ports as a list of "folders" that you can go back and open.
Logged
"Computers cause people to make more mistakes than any other invention in history, with the possible exception of handguns and tequila."  - Unknown
"Liberty of any kind is seldom lost all at once." - D. Hume
Every day is an Ode to Joy
The planet will be fine... and so will your site
Johnny
MR-Disabled
Über Jedi
*
Offline Offline

Posts: 1914
« Reply #7 on: July 18, 2003, 02:31:42 AM »
Looks like they were targeting files on your server using proxies to hide their real IP address. They were more then likely using what some like to refer to as a stress tester, which is used by many for brute force attacks.
Logged
Lunarpages Web Hosting

Lunarpages Forums

Lunarpapages Affiliate
Program

Helpdesk Ticket Submit

Helpdesk FAQ

Lunarpages FAQ

Have your say on our new phone support hours! (VOTE -
http://www.lunarforums.com/forum/index.php?topic=36844.0)

Telephone: 1-714-521-8150
Fax: 1-714-521-8195

whoisthis
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to: