httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ron Wingfield" <>
Subject Re: Apache\s Error log entry
Date Thu, 27 Jun 2002 12:35:17 GMT
Oops, I hit the send key before I finished the following message:
  ----- Original Message ----- 
  From: Ron Wingfield 
  Sent: Thursday, June 27, 2002 7:27 AM
  Subject: Re: Apache\s Error log entry

  Hello Tariq,

  Yes, I'm getting the same assult, seems like at least every twelve hours or so.  The thing
rattles around, groping through various path structures, etc., looking for something to exploit.
 I haven't done anything about it, yet, simply because our server doesn't contain any sensitive
information, . . .yet.

  Yesterday, someone posted this link,, for a possible retailation
to nimda.  I haven't taken a close look at the code, yet; probably, it could be modified to
include a defense to Code Red.

  To all list participants:  How prevalent is this problem?

  Ron W.
    ----- Original Message ----- 
    From: Boyle Owen 
    Sent: Thursday, June 27, 2002 3:22 AM
    Subject: RE: Apache\s Error log entry

    > From: Tariq Dalvi []
    > Hello 
    > I would like to know what this visiter is trying to as this errors are two to
    > three times a day, following entry I always find in error log.
    > - - [24/Jun/2002:06:41:54 +0530] "GET /scripts/..%%35%63
    > #../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294

    This is Code Red - a MS IIS worm. The remote machine is a web-server which is infected
by the worm and which is scanning the internet trying to infect other machines. It doesn't
do anything (except cause a 400 error) in an apache server. If you really want to, you could
track down the sys-admin for the remote site and tell him his server is infected.


    Owen Boyle

    To unsubscribe, e-mail:
    For additional commands, e-mail:

View raw message