Does this mean somebody is trying to hack my website?

[gopunk]

if my logs show a bunch of entries of someone trying to access cmd.exe and root.exe (they keep on getting 404's though)?

one such entry:

"GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-"

 

[N8Magic]

Originally posted by: gopunk
if my logs show a bunch of entries of someone trying to access cmd.exe and root.exe (they keep on getting 404's though)?

one such entry:

"GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-"

Looks pretty suspicious to me! :Q

 

[gopunk]

"GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 208 "-" "-"
"GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 265 "-" "-"

those are two other ones.. there are like 20 of these things.

 

[gopunk]

bump....

 

[NetworkDad]

Originally posted by: gopunk
bump....

Does it show the ip address attempting to access your files?

 

[AdamDuritz99]

I got 2 of those in my logs today too. quite interesting...

peace
sean

 

[SyahM]

i believe some of the ads/pop-up trying to execute those files. Could be harmful and could be not. On my machine, I redirect all known ads ip address to local ip, so in my apache logs, there are tons of error about file not found. If you have configure your webserver correctly and safely, I think there's nothing to worry lah ...

 

[gopunk]

ah, i think i have the answer, my host tech support emailed back and here is what they said:

These are from all the NT viruses out there looking for hosts to infect. Luckily since we have Unix based servers this is the only impact - strange log entries. The viruses do not harm our systems.

 

[SaturnX]

I suspect Nimda at work

Info on Nimda

The suspected log entries you mentioned, match those that are usually associated with Nimda.

--Mark

 

[dawks]

Thats the IIS Exploit 'Code Red' (or so I've been told)

The virus went around last year infecting hundreds of thousands of servers. Your only at risk if your running IIS.. But if you have all the latest patches, you should be safe. Make sure you have this if your running IIS.

In most cases, the ownes of the computers sending those 'hack attempts' dont even know whats going on. You can do two things, ignore them, or track down their ISP and send a sample of the attack from the log, including their IP address, and hope that their ISP will notify them, and tell them how to fix it.

Again.. Apache is not affected. Nor are non-windows machines.

 

[AdamDuritz99]

Originally posted by: gopunk
ah, i think i have the answer, my host tech support emailed back and here is what they said:

These are from all the NT viruses out there looking for hosts to infect. Luckily since we have Unix based servers this is the only impact - strange log entries. The viruses do not harm our systems.

:Q
Thank god i use Redhat.

peace
sean

 

[SyahM]

Originally posted by: gopunk
ah, i think i have the answer, my host tech support emailed back and here is what they said:

These are from all the NT viruses out there looking for hosts to infect. Luckily since we have Unix based servers this is the only impact - strange log entries. The viruses do not harm our systems.

wahh .. thank god i use apache. Well, i guess i have to start tracking them down and email ISP then. Got tons of those! fhewww!

 

[her209]

Yea, IIS sucks like a b!tch.

 

[gopunk]

btw, props to my host... cedant webhosting... i sent the question at 8:21, got a response at 8:28. how's that for service....

 

[Mucman]

gopunk - You should ask them if the run UrlScan. It's a handy utility that we use and blocks all of those attempts and also cleans the logs so they don't show up anymore.

 

[Paulson]

Code Red virus...

lol I can't believe that's still going about the net..