7 Oct
2001
7 Oct
'01
10:51
Actually this is an attempt to use the backdoor which is installed by CodeRed II. It copies the cmd.exe to the scripts directory as root.exe and, if the backdoor is active, allows someone to execute commands in this manner. 'dir' is just the common one given in examples on the web. This looks like some script kiddie playing and not a real hacker. A real hacker would know that you are running linux and not infected with CodeRed II.
Its not even a script kiddie. The source host is infected by Nimbda and its doing its normal activity of scanning for new hosts to infect. You don't need to worry as you are not running IIS. John