Welcome to WebmasterWorld Guest from 34.228.115.216
Forum Moderators: Ocean10000 & phranque
202.9.178.30 - - [10/Oct/2002:16:51:53 +0100] "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 403 -
Is this malicious? Is so what do you recommend
Concerned
I get thousands of these per week on my sites. This is a Code Red or Nimda-infected machine trying to access your web server and propagate itself. The 403 response indicates that you have successfully blocked the attempt. Since your server is Apache, it's not susceptible to these worms anyway.
Blocking any request for the file "cmd.exe" catches 95% of these accesses. The rest can also be blocking using mod_rewrite in .htaccess on Apache with something like this:
# Block MS IIS server security exploits
RewriteRule \.ida$ - [F]
RewriteRule /cmd\.exe$ - [F]
RewriteRule /root\.exe$ - [F]
RewriteRule /shell\.exe$ - [F]
RewriteRule \_vti\_ - [F]
RewriteRule ^NULL - [NC,F]
These cmd.exe accesses are more of a bother (bandwidth leak) than a worry on Apache.
Jim
I'm sure the same is possible for Windows machines, but I understand that to be an extra-cost option,