homepage Welcome to WebmasterWorld Guest from 54.167.179.48
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
Forum Library, Charter, Moderators: phranque

Website Technology Issues Forum

    
Has someone been trying to hack my site?
Anyone recognize this code?
jaeden

10+ Year Member



 
Msg#: 726 posted 8:03 pm on Feb 1, 2002 (gmt 0)

Just looked at my access logs for the month of January, and under the 404 not founds, there were a bunch of references to these URL's they were trying to access on our site.


/scripts/..../winnt/ system32/cmd.exe?/c+dir
/msadc/..%5c../..%5c../..%5c/ ..../..../..../winnt/ system32/cmd.exe?/c+dir
/_mem_bin/..%5c../..%5c../..% 5c../winnt/system32/cmd.exe?/c+ dir
/_vti_bin/..%5c../..%5c../..% 5c../winnt/system32/cmd.exe?/c+ dir
/d/winnt/system32/cmd.exe?/c+ dir
/scripts/root.exe?/c+dir
/MSADC/root.exe?/c+dir

Is this someone trying to gain access to my system? What do they think they will see?

Jaeden

 

bruhaha

10+ Year Member



 
Msg#: 726 posted 9:16 pm on Feb 1, 2002 (gmt 0)

The answer to your question is, Yes and No.

It is not any individual trying to hack your system. It looks like some variety of the "Code Red" worm, which infects and spreads from Microsoft IIS servers
that haven't been properly patched.

The giveaway is the repeated snip of code:

winnt/system32/cmd.exe?/

The worm is trying to copy the standard Windows NT/2000 command interpreter "cmd.exe" into the server's "scripts" directory, so it can execute commands on the site.

If your site is not on a Microsoft server you are probably safe. Also, Microsoft offered a patch for this months ago. I would be extremely surprised if your host had this hole and hasn't patched it yet, but it wouldn't hurt to ask them about it.

As for the 404 codes --the fact that you found the record of it under 404 means your server returned a "not found" message. IOW the worm was not getting what it wanted --a good thing!

jaeden

10+ Year Member



 
Msg#: 726 posted 9:51 pm on Feb 1, 2002 (gmt 0)

Actually, we are running our server on an AS/400 so there has been no problem, just thought it was interesting. This was tried several days in a row, up to 84 times per URL, so whatever was doing this was a persistant little devil.

Thanks for the info.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved