![](https://seccdn.libravatar.org/avatar/08c51a05e540fbce9d92d73bc471a0e9.jpg?s=120&d=mm&r=g)
Actually this is an attempt to use the backdoor which is installed by CodeRed II. It copies the cmd.exe to the scripts directory as root.exe and, if the backdoor is active, allows someone to execute commands in this manner. 'dir' is just the common one given in examples on the web. This looks like some script kiddie playing and not a real hacker. A real hacker would know that you are running linux and not infected with CodeRed II. 10/06/01 02:02:30 PM, Rainer Link wrote:
On Sat, 6 Oct 2001, Rolf Klemenz wrote:
Does anybody know of the following attak? These are getting more and more, starting by today...
:: Apache Access Log File ::<cut> 212.25.83.251 - - [06/Oct/2001:20:36:05 +0200] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 1438
[cut] I'd say it's Nimda. But it's a worm and not new :-) See http://cert.uni-stuttgart.de/ticker/article.php?mid=480
best regards, Rainer Link
-- Rainer Link | SuSE - The Linux Experts link@suse.de | Developer of A Mail Virus Scanner (amavis.org) www.suse.de | Founder OpenAntiVirus Project (www.openantivirus.org)
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com