Topic: What has happened?

[Danny Wong]

My HTTPD error log is full of these.  

[Mon Jan 13 16:51:24 2003] [error] [client 67.40.2.115] File does not exist: /home/e-smith/files/primary/html/scripts/..Á../winnt/system32/cmd.exe

Does anyone know if this is a worm attack, or just some fool wishing I had a vulnerable windows machine, or what?

[Thomas Kristensen]

The line shows an attack by the Nimda virus, it is safe to ignore it...

Hope this helps,
Thomas Kristensen

[Bill Talcott]

http://myezserver.com/downloads/mitel/contrib/apache-hits/ is a script that will parse your log files and show how many times your server has been scanned for Nimda and CodeRed. You can see ours at http://www.chrouch.com/worms/ if you're interested.

[Brian Read]

I run this and get "cannot find access log".

I checked the php, and also my server (5.5u2) and the path is correct.

any ideas?

Brian

[Jens Kruuse]

Does you webserver user (www) have read access to the logfile?

[Brian Read]

Here's the relevant info:

[root@server01 httpd]# ls -l access_log
lrwxrwxrwx    1 root     root           25 Jan 15 01:12 access_log -> access_log
.20030115011203
[root@server01 httpd]# ls -l access*
lrwxrwxrwx    1 root     root           25 Jan 15 01:12 access_log -> access_log.20030115011203
-rw-r--r--    1 root     root        81589 Dec 14 21:29 access_log.20021208011204
-rw-r--r--    1 root     root        96745 Dec 21 08:39 access_log.20021215011203
-rw-r--r--    1 root     root        64286 Dec 28 20:21 access_log.20021222011203
-rw-r--r--    1 root     root        38788 Dec 31 15:00 access_log.20021229011200
-rw-r--r--    1 root     root       161770 Jan  7 17:52 access_log.20030101011203
-rw-r--r--    1 root     root       118149 Jan 14 23:00 access_log.20030108011202
-rw-r--r--    1 root     root        31477 Jan 16 04:52 access_log.20030115011203
[root@server01 httpd]#

Cheers

Brian