Welcome to WebmasterWorld Guest from 54.166.114.43

Forum Moderators: phranque

Message Too Old, No Replies

Serious problems with our site. A virus? A hacker?

Serious problems with our site. A virus? A hacker?

   
1:46 am on Feb 11, 2002 (gmt 0)

10+ Year Member



Hi!

We are having big problems with our site.

We checked our log-files with Web Trends and noticed that there are many strange entries: visits to directories that do not (or should not?) excist.

Please check the statistics for last january at:
Revised to read
Our log files contain hundreds of entries like:
/scripts/..%5c../winnt/system32/cmd.exe?/c+dir
/scripts/root.exe?/c+dir
/MSADC/root.exe?/c+dir
etc.

The satistics for 2000-2002 are not relevant to this discussion.

Are we under attack by a hacker or is it a virus? I do hope that
somebody can help. Thanks in advance!

Regards,
Peter Rotgers

(edited by: DaveAtIFG at 5:43 pm (utc) on Feb. 11, 2002)

1:51 am on Feb 11, 2002 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I'm no expert, but those requests sure look like the hack attempts that my PC firewall intercepts.

I am not a Microsoft server user, but hopefully someone more knowledgable should be able to advise how to deal with it.

2:20 am on Feb 11, 2002 (gmt 0)

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



<snip>Please check the statistics for last january at:
URL snipped>

Either a visitor or your site is infected with a virus.

Sorry I don't recall the name of it.

(edited by: DaveAtIFG at 5:41 pm (utc) on Feb. 11, 2002)

2:24 am on Feb 11, 2002 (gmt 0)

WebmasterWorld Administrator lawman is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



The first time I saw similar attempts several months ago, I contacted my host who verified that someone is trying to hack into the server. I was told not to worry about it, that they had everything under control. I didn't know whether to believe them or not. I still see the same attmepts, but so far nothing has come of them.

You might want to let your host know about it. Perhaps they can reassure you.

Lawman

2:29 am on Feb 11, 2002 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



It's been around half a year now. see original thread [webmasterworld.com]
3:28 am on Feb 11, 2002 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I get a headache whenever I view a Webtrends report (lack of usable information).

Is that amount of 404 errors normal for your site and if not, can you find out which IPs were making those requests? More specifically, I am curious as to how many of those IP's begin with 64.

9:27 am on Feb 11, 2002 (gmt 0)

10+ Year Member



these look to me like the lines my log files were rife with a while back... was the nimda virus (??) looking for a way in