hi list, a few month ago i changed my website from microsoft iis to linux/apache. the following line is in the access_log (same like in iis-log): 213.168.123.157 - - [24/Jan/2002:20:47:25 +0100] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294 can anyone explain me whats going on here ? thank you
Thomas Neukirch wrote:
hi list,
a few month ago i changed my website from microsoft iis to linux/apache.
the following line is in the access_log (same like in iis-log):
213.168.123.157 - - [24/Jan/2002:20:47:25 +0100] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294
can anyone explain me whats going on here ?
you can ignore that, it's a worm like nimda ... nothing interesting for you. -- intraDAT AG http://www.intradat.com Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0 D - 60329 Frankfurt am Main Fax: +49 69-25629-256 Junk mail is war. RFCs do not apply.
Hi Thomas, be happy you've changed to Linux Apache. You seem to be scanned by a worm (the scans I recently have had were from nimbda) which tries to get in your system by calling cmd.com in different directories. As you're now running linux you have nothing to worry; this worm can only infect windoze-IIS-systems. Stephan -----Ursprüngliche Nachricht----- Von: Thomas Neukirch [mailto:thomas.neukirch@dtvtabak.de] Gesendet: Montag, 28. Januar 2002 14:38 An: suse-security@suse.com Betreff: [suse-security] apache log hi list, a few month ago i changed my website from microsoft iis to linux/apache. the following line is in the access_log (same like in iis-log): 213.168.123.157 - - [24/Jan/2002:20:47:25 +0100] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294 can anyone explain me whats going on here ? thank you -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
participants (3)
-
OKDesign oHG Security Administrator -
Sven Michels -
Thomas Neukirch