Strange IP and request on web log

Forum Moderators: mack

Message Too Old, No Replies

Strange IP and request on web log

Is it legit? Am I being attacked?

cybertime

1:18 am on Mar 16, 2004 (gmt 0)

I noticed the following on my access log and was wondering if the IP and activity is legit.

64.3.35.6 [15/Mar/2004:02:13:30 GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir

and

<IP Address>[08/Mar/2004:00:56:53GET /default.ida?<lots of x x x x's and junk code>u00=a HTTP/1.0--

Thanks.

[edited by: Woz at 2:18 am (utc) on Mar. 16, 2004]
[edit reason] Shortened example referral [/edit]

encyclo

1:30 am on Mar 16, 2004 (gmt 0)

It's the Nimda or Code Red worm (I can't remember which). You're not being targeted - the worm throws out connections to random IP addresses.

If you're on a Linux server, no worries. If you're on a Windows 2000 server, make sure you have the latest patches. For most people now, these worms are just background noise.

globay

1:36 am on Mar 16, 2004 (gmt 0)

This indicates, that your are targeted by the Code Red II Worm. Unless you are using an IIS Web Server, you should be safe.

cybertime

1:48 am on Mar 16, 2004 (gmt 0)

Thank you for the quick response.

I am relived and glad that I am on linux.