Chinese cmd.exe requests

Forum Moderators: DixonJones

Message Too Old, No Replies

Chinese cmd.exe requests

Is this Nimda related? Still?

casualsub

4:51 pm on Jan 14, 2002 (gmt 0)

Thanks to the help of this site I am now trawling through my sites' stats. Perhaps you can help with my analysis?

Both my sites are attracting a lot of failed requests for cmd.exe files in various system-esqe folders. Site searching here it looks like this is Nimda related, but is that correct? I assumed Nimda traffic would have been strangled by now, but these requests go right up to the most current day on the log; I take it my assumption is naive?

Also I don't know if it is relevent but most of the these requests seem to come from the surprising number of Chinese vistors the sites receive. Has anyone else noticed this phenomenon?

mivox

9:25 pm on Jan 20, 2002 (gmt 0)

Yep... it's people trolling for vulnerable web servers to infect with nasty worms... Don't recall if it's Nimda, Code Red or just generic niffing about.

Are you hosted on Linux? If so, the worst trouble they could ever cause you is cluttered up log files, and a server response-time slow down if a whole bunch of requests come in at once.

casualsub

9:42 pm on Jan 20, 2002 (gmt 0)

The sites are running on NT boxes but they're fully patched so should be okay. I've been talking to the guys hosting the sites about this as in theory they should be blocking this kind of traffic before it hits these servers. In the meantime I've filtered out this traffic in my analysis as the logs were definately 'cluttered'.

Brett_Tabke

12:10 am on Jan 21, 2002 (gmt 0)

There are quite a few infected boxes out there yet. Part of the problem, is you can't tell whether it is an infected box, or just someone running their own version of nimda looking for holes.