Are logs like these the fingerprint of some new Microsoft hack? We're running Linux/Apache, but I'm curious:

[Thu Nov 22 07:00:55 2001] [error] [client 212.45.9.106] File does not exist: /www/vhosts/7/72.2/htdocs/208.146/scripts/access.htm
[Thu Nov 22 07:00:55 2001] [error] [client 212.45.9.106] File does not exist: /www/vhosts/7/72.2/htdocs/208.146/scripts/access.html
[Thu Nov 22 07:00:56 2001] [error] [client 212.45.9.106] File does not exist: /www/vhosts/7/72.2/htdocs/208.146/scripts/access.dat
[Thu Nov 22 07:00:57 2001] [error] [client 212.45.9.106] File does not exist: /www/vhosts/7/72.2/htdocs/208.146/scripts/access.data
[Thu Nov 22 07:00:57 2001] [error] [client 212.45.9.106] File does not exist: /www/vhosts/7/72.2/htdocs/208.146/scripts/access.txt
[Thu Nov 22 07:00:58 2001] [error] [client 212.45.9.106] File does not exist: /www/vhosts/7/72.2/htdocs/208.146/scripts/access.asp
[Thu Nov 22 07:00:58 2001] [error] [client 212.45.9.106] File does not exist: /www/vhosts/7/72.2/htdocs/208.146/scripts/access.dbf
[Thu Nov 22 07:00:59 2001] [error] [client 212.45.9.106] File does not exist: /www/vhosts/7/72.2/htdocs/208.146/scripts/access.ini
[Thu Nov 22 07:00:59 2001] [error] [client 212.45.9.106] File does not exist: /www/vhosts/7/72.2/htdocs/208.146/scripts/access.db
[Thu Nov 22 07:01:00 2001] [error] [client 212.45.9.106] File does not exist: /www/vhosts/7/72.2/htdocs/208.146/scripts/access.cfg

Does not look like an MS hack... sorry :)

Actually, it could be a Microsoft hack.
Anyway the guy was not very successful at it... :)
You must make your servers secure and definitely use a port scanner like port sentry. It really helps.
Have a great day :)

Regards
Amar

Actually, it could be a Microsoft hack. Nope, it's an Apache hack attempt.

Hi!
This would be a good learning experience for us.
If it's OK with you can you guess what he would have tried that makes you feel that this is an apache hack attempt.
I guessed this way because when code red was on the loose all linux based servers too were full of logs like this.

Have a great day :)

Regards
Amar

You say "it's an Apache hack attempt". Is that conjecture, or is this a known signature? Is it documented anywhere?

Because "/www/vhosts/" is the way Apache sets-up virtual web hosts. Because they are looking for an access.* file in the scripts folder, it looks like they are looking for some type of authentication files/scripts.

It's probably not a "commom" hack, but more of a singled out attack.

Hope that helps!

Not exactly.

A request for /www/vhosts/7/72.2/htdocs/208.146/scripts/access.htm on our system simply means that the HTTP request was for:

208.146.72.2/scripts/access.htm

It doesn't make any sense to assert that because /www/vhosts was in the log, this was an attempted Apache hack. I watch 10s of thousands of MS hack attempts (code red & nimda) come up as 404s every day on our Apache servers.

I am not sure what you mean; "It doesn't make any sense to assert that because /www/vhosts was in the log, this was an attempted Apache hack."

MS does not set-up directories like "/www/vhosts", but Apache does. When you saw the "cmd.exe" in your logs, that was a MS attack.

Make sense?

The '/www/vhosts' was part of the log, yes, but not part of the request.

'cmd.exe' is a part of the Nimda MS hack request.

That's the difference.

The suspicious requests are for
"/scripts/access.asp", "/scripts/access.dbf" etc.

In the words of Homer Simpson, "DOHH". I thought '/www/vhosts' was part of the request!