Welcome to WebmasterWorld Guest from

Forum Moderators: phranque

Message Too Old, No Replies

Has someone been trying to hack my site?

Anyone recognize this code?

8:03 pm on Feb 1, 2002 (gmt 0)

Junior Member

10+ Year Member

joined:Dec 26, 2001
votes: 0

Just looked at my access logs for the month of January, and under the 404 not founds, there were a bunch of references to these URL's they were trying to access on our site.

/scripts/..../winnt/ system32/cmd.exe?/c+dir
/msadc/..%5c../..%5c../..%5c/ ..../..../..../winnt/ system32/cmd.exe?/c+dir
/_mem_bin/..%5c../..%5c../..% 5c../winnt/system32/cmd.exe?/c+ dir
/_vti_bin/..%5c../..%5c../..% 5c../winnt/system32/cmd.exe?/c+ dir
/d/winnt/system32/cmd.exe?/c+ dir

Is this someone trying to gain access to my system? What do they think they will see?


9:16 pm on Feb 1, 2002 (gmt 0)

Full Member

10+ Year Member

joined:Dec 10, 2001
votes: 0

The answer to your question is, Yes and No.

It is not any individual trying to hack your system. It looks like some variety of the "Code Red" worm, which infects and spreads from Microsoft IIS servers
that haven't been properly patched.

The giveaway is the repeated snip of code:


The worm is trying to copy the standard Windows NT/2000 command interpreter "cmd.exe" into the server's "scripts" directory, so it can execute commands on the site.

If your site is not on a Microsoft server you are probably safe. Also, Microsoft offered a patch for this months ago. I would be extremely surprised if your host had this hole and hasn't patched it yet, but it wouldn't hurt to ask them about it.

As for the 404 codes --the fact that you found the record of it under 404 means your server returned a "not found" message. IOW the worm was not getting what it wanted --a good thing!

9:51 pm on Feb 1, 2002 (gmt 0)

Junior Member

10+ Year Member

joined:Dec 26, 2001
votes: 0

Actually, we are running our server on an AS/400 so there has been no problem, just thought it was interesting. This was tried several days in a row, up to 84 times per URL, so whatever was doing this was a persistant little devil.

Thanks for the info.