What you are seeing when you see something like:
www.brummell.net 24.55.72.6 - - [10/Feb/2002:06:58:16 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 210 "-" "-"
www.brummell.net 24.55.72.6 - - [10/Feb/2002:06:58:18 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 208 "-" "-"
www.brummell.net 24.55.72.6 - - [10/Feb/2002:06:58:20 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-"
is actually a Nimda attack from 24.55.72.6. It is an infected webserver that is activly scanning for other hosts to infect. SME & Apache are not vulnerable to this exploit, I don't imagine the fact that http has stopped has anything to do with the Nimda scanning. I get over 8000 scans a week!
I would just reboot the server and make sure httpd restarts on reboot. There is a command to restart httpd without rebooting, but I don't have it handy...
Terry
Bobby wrote:
>
> Seems one of my client's has been hit by hackers or at least
> a milicious wannabe.
>
> A lot of entries in the logs showing attempts to reach things
> like cmd.exe and root.exe. I figure they are trying to
> exploit Micro$oft IIS.
>
> Problem is that now the web server does not work. No
> webmail, no web site, no
http://host/server-manager (Server
> manager still works on port 980). Just get "HTTP 500 -
> Internal server error" when trying to access anything.
>
> Any ideas where to look to fix such an issue?
>
> Cheers.
>
> /B
5 Replies
581 Views