hack attempt??

[xclansoldier]

Hello.

I'm no expert in hacking. I'm not even a novice at it. But occassionally, I check my websites error logs to see what errors people are getting and why. Today I checked them because there was a network blackout that the datacenter did because it was replacing one of their main switches (according to their e-mail.) Anyways, when I checked it, I found this and it alarmed me a bit. Here is the copy of the log:

[Sun Nov 28 16:15:19 2004] [error] [client 69.241.176.7] File does not exist: /***/***/public_html/404.shtml
[Sun Nov 28 16:15:19 2004] [error] [client 69.241.176.7] File does not exist: /***/***/public_html/scripts/..%2f../winnt/system32/cmd.exe
[Sun Nov 28 16:15:19 2004] [error] [client 69.241.176.7] File does not exist: /***/***/public_html/404.shtml
[Sun Nov 28 16:15:19 2004] [error] [client 69.241.176.7] File does not exist: /***/***/public_html/scripts/..%5c../winnt/system32/cmd.exe
[Sun Nov 28 16:15:19 2004] [error] [client 69.241.176.7] File does not exist: /***/***/public_html/400.shtml
[Sun Nov 28 16:15:18 2004] [error] [client 69.241.176.7] File does not exist: /***/***/public_html/400.shtml
[Sun Nov 28 16:15:18 2004] [error] [client 69.241.176.7] File does not exist: /***/***/public_html/404.shtml
[Sun Nov 28 16:15:18 2004] [error] [client 69.241.176.7] File does not exist: /***/***/public_html/scripts/..\xc1\x9c../winnt/system32/cmd.exe
[Sun Nov 28 16:15:18 2004] [error] [client 69.241.176.7] File does not exist: /***/***/public_html/404.shtml
[Sun Nov 28 16:15:18 2004] [error] [client 69.241.176.7] File does not exist: /***/***/public_html/scripts/..\xc0\xaf../winnt/system32/cmd.exe
[Sun Nov 28 16:15:18 2004] [error] [client 69.241.176.7] File does not exist: /***/***/public_html/404.shtml
[Sun Nov 28 16:15:17 2004] [error] [client 69.241.176.7] File does not exist: /***/***/public_html/404.shtml
[Sun Nov 28 16:15:17 2004] [error] [client 69.241.176.7] File does not exist: /***/***/public_html/scripts/..\xc1\x1c../winnt/system32/cmd.exe
[Sun Nov 28 16:15:17 2004] [error] [client 69.241.176.7] File does not exist: /***/***/public_html/404.shtml
[Sun Nov 28 16:15:17 2004] [error] [client 69.241.176.7] File does not exist: /***/***/public_html/msadc/..%5c../..%5c../..%5c/..\xc1\x1c../..\xc1\x1c../..\xc1\x1c../winnt/system32/cmd.exe
[Sun Nov 28 16:15:17 2004] [error] [client 69.241.176.7] File does not exist: /***/***/public_html/404.shtml
[Sun Nov 28 16:15:17 2004] [error] [client 69.241.176.7] File does not exist: /***/***/public_html/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Sun Nov 28 16:15:17 2004] [error] [client 69.241.176.7] File does not exist: /***/***/public_html/404.shtml
[Sun Nov 28 16:15:17 2004] [error] [client 69.241.176.7] File does not exist: /***/***/public_html/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Sun Nov 28 16:15:17 2004] [error] [client 69.241.176.7] File does not exist: /***/***/public_html/404.shtml
[Sun Nov 28 16:15:17 2004] [error] [client 69.241.176.7] File does not exist: /***/***/public_html/scripts/..%5c../winnt/system32/cmd.exe
[Sun Nov 28 16:15:16 2004] [error] [client 69.241.176.7] File does not exist: /***/***/public_html/404.shtml
[Sun Nov 28 16:15:16 2004] [error] [client 69.241.176.7] File does not exist: /***/***/public_html/d/winnt/system32/cmd.exe
[Sun Nov 28 16:15:16 2004] [error] [client 69.241.176.7] File does not exist: /***/***/public_html/404.shtml
[Sun Nov 28 16:15:16 2004] [error] [client 69.241.176.7] File does not exist: /***/***/public_html/c/winnt/system32/cmd.exe
[Sun Nov 28 16:15:16 2004] [error] [client 69.241.176.7] File does not exist: /***/***/public_html/404.shtml
[Sun Nov 28 16:15:16 2004] [error] [client 69.241.176.7] File does not exist: /***/***/public_html/MSADC/root.exe
[Sun Nov 28 16:15:16 2004] [error] [client 69.241.176.7] File does not exist: /***/***/public_html/404.shtml
[Sun Nov 28 16:15:16 2004] [error] [client 69.241.176.7] File does not exist: /***/***/public_html/scripts/root.exe

My server uses a Linux OS. And the fact the errors bring up someone trying to use Windows commands - is what alarmed me. Am I right to be alarmed? Is this an attempted hack? Just to be cautious, I did a tracert and got their ISP address and I sent a copy of the log to my host as well as the ISP. Did I do the right thing? Like I said, I don't know how to hack or even where it begins - I'm not at all interested in it either but since I don't know, would these be good indicators of a hack attempted? And is there anything else that I should look for?

Thanks for your time.

Ryan

 

[JeffBlair]

I wouldn't worry about it. I get that as well in mine. It is either a script kiddy or a PC with a virus on it. It is looking for a server runing Windows/ISS.

 

[Cheetah8799]

ya, pretty common to see that in the web server log files.

 

[skyking]

There were some old exploits that could get an IIS server to give up root via a script in the URL.
The kiddies still look for unpatched servers, and they do find them. Pretty pathetic.
I often write custom .htaccess files in the top level of my www directory, and lock out entire ranges that I know will never have legit business in my site, and are also the source of large volumes of these hack attempts.

 

[xclansoldier]

Well. I was worried but not too much since I did recognize the .exe command execution attempts - knowing that I'm hosted on a Windows server. I did, however, report it to Comcast since the tracert reached the destination which was a Comcast address. I figure, if it's nothing, Comcast will know that and nothing will come about of it. If it is something that is considered "misuse" by Comcast, then they'll handle it.