1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 11:57 pm May 1, 2026

Forum Moderators: phranque

Message Too Old, No Replies

I believe this is malicious

Log files show some weird stuff

         

fred griffin

7:14 am on Apr 8, 2005 (gmt 0)

10+ Year Member



Hello all,

I am a newbie to web authoring and have jumped in with both feet! I was runnign IIS but have moved to apache... much better IMHO!
I am seeing some alarming items in my logs(at least I think they are alarming). I was hoping that someone here could help me understand the entries and what to do about them.

1st>
from access.log:
24.8.78.159 - - [06/Apr/2005:11:28:14 -0600] "SEARCH /\x90\xc9\xc9\xc9\xc9\ <---- \xc9 is repeated a very long time

2nd>
from access.log:
24.98.218.154 - - [07/Apr/2005:12:46:19 -0600] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 282
24.98.218.154 - - [07/Apr/2005:12:46:19 -0600] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 280
24.98.218.154 - - [07/Apr/2005:12:46:20 -0600] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 290
24.98.218.154 - - [07/Apr/2005:12:46:20 -0600] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 290
24.98.218.154 - - [07/Apr/2005:12:46:20 -0600] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
24.98.218.154 - - [07/Apr/2005:12:46:20 -0600] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 321
24.98.218.154 - - [07/Apr/2005:12:46:20 -0600] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 321
24.98.218.154 - - [07/Apr/2005:12:46:20 -0600] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 337
24.98.218.154 - - [07/Apr/2005:12:46:21 -0600] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303
24.98.218.154 - - [07/Apr/2005:12:46:21 -0600] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303
24.98.218.154 - - [07/Apr/2005:12:46:21 -0600] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303
24.98.218.154 - - [07/Apr/2005:12:46:21 -0600] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303
24.98.218.154 - - [07/Apr/2005:12:46:21 -0600] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294
24.98.218.154 - - [07/Apr/2005:12:46:21 -0600] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294
24.98.218.154 - - [07/Apr/2005:12:46:22 -0600] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
24.98.218.154 - - [07/Apr/2005:12:46:22 -0600] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
64.123.4.169 - - [07/Apr/2005:12:53:11 -0600] "get /scripts/root.exe?/c+dir" 501 315

These look malicious in nature. What are they trying to do to my web site?

How do I stop this activity?

also, what does the following mean from the error.log file?
[Wed Apr 06 00:44:34 2005] [warn] [client 66.135.38.137] mod_include: Options +Includes (or IncludesNoExec) wasn't set, INCLUDES filter removed

Thanks for any insight you might provide.

George_hu

7:57 am on Apr 8, 2005 (gmt 0)

10+ Year Member



Hi,

As you said you're on Apache,then no problem.

1st
I prefer to autoban IP's try this, but this my preference.

2nd add to .htaccess and you'll net see them again

RedirectMatch (.*)cmd.exe$ [stoptheviruscold.invalid$1...]
RedirectMatch (.*)root.exe$ [stoptheviruscold.invalid$1...]
RedirectMatch (.*).dll$ [stoptheviruscold.invalid$1...]
RedirectMatch (.*)shtml.exe$ [stoptheviruscold.invalid$1...]
RedirectMatch (.*).asp$ [stoptheviruscold.invalid$1...]
RedirectMatch (.*)_vti_inf.html$ [stoptheviruscold.invalid$1...]
RedirectMatch (.*)_vti_bin$ [stoptheviruscold.invalid$1...]
RedirectMatch (.*)_vti_bin/shtml.exe/_vti_rpc$ [stoptheviruscold.invalid$1...]
RedirectMatch (.*)/awstats/awstats.pl$ [stoptheviruscold.invalid$1...]
RedirectMatch (.*)/cgi-bin/awstats.pl$ [stoptheviruscold.invalid$1...]
RedirectMatch (.*)/msadc/$ [stoptheviruscold.invalid$1...]
RedirectMatch (.*)/MSADC/$ [stoptheviruscold.invalid$1...]
RedirectMatch (.*)/iisadmpwd/$ [stoptheviruscold.invalid$1...]

3nd
I had no idea.

zCat

9:03 am on Apr 8, 2005 (gmt 0)

10+ Year Member




These look malicious in nature. What are they trying to
do to my web site?

These are some kind of automated hack (probably running on some infected Windows PC) aimed at Microsoft installations (IIS?) and shouldn't affect Apache. I generally ignore them.

jdMorgan

3:44 pm on Apr 8, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



This is the footprint of the old NIMDA worm - Nimda is "Admin" spelled backwards.

It is coming from an infected Windows server, and asking for files that don't exist on an Apache server. Therefore, except for the bandwidth and server resources it consumes by sending these requests, it is harmless to Apache servers.

You can dispense with these requests with a 403-Forbidden response, if you so desire, using this: 


# BLOCK MS IIS server security exploit
# Requests for default.ida are from a code red virus-infected webserver,
# requests for cmd.exe/root.exe are from a nimda virus-infected server. 
RewriteRule /(cmd¦root¦shell)\.exe$ - [F]
RewriteRule ^NULL[/\ ]¦\.ida¦bin/ - [NC,F]

But as I said, these requests are harmless to Apache, so the above code mostly just makes you feel good about "hitting back" at the worm. Also, if your custom 403 error page is short, you may save a tiny bit of bandwidth because your server's response will be shorter than a typical custom 404 error page.

Replace all broken pipe "¦" characters in the code above with solid pipe characters (usually Shift-\) before use. Posting on this forum modifies these characters.

Jim

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 11:57 pm May 1, 2026