Welcome to WebmasterWorld Guest from 220.127.116.11
Forum Moderators: phranque
I just blocked the IP, but I am sitting here wondering what would be the purpose ? Since its directed at "mydomain" and not just an IP is this an attempt to crash my server?
"GET /scripts/root.exe?/c+dir HTTP/1.0"
"GET /MSADC/root.exe?/c+dir HTTP/1.0"
"GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0"
"GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0"
If they are, then you are being hit by a server infected with the NIMDA virus looking for another server to infect. If you're not hosted on NT/IIS then you don't need to worry, but it is a waste of bandwidth and makes the logs a pain to go through.
It looks like a person running a bot at me. I dug into my logs and found this order of things.
IP address XX.XX.XX.XX does a search on google.com.pl on a keyword (I see the refer in the logs). They are using IE6 , WIN NT and they view a few pages like a user would.
Then a minute or so later the same IP sends a bot that grabs up pages "244 today repeating the same pages" while that is happening it is also making a bad request for "http://mydomain.com/a" 8600 of that bad request today. All that happens in less then 5 minutes.
I was visted twice in January and today was the first for February.
Whats funny is the keywords they are used. One is a two word phrase that I sit at number 4 out of 500,000. But the other is a one word search that I sit at 470 out of 2 million. They clicked that link at 470.
But in total today 8900 requests to the server in less then 5 minutes is a bit much.
Any thoughts ?