My only site on one of my cobalt raq4i server is barely visited.
And I don't have any files like this available for download...
but the logs show ::


Most Downloaded Files
Rank# File Hits Incomplete requests Data Transfered(KB)
1 /scripts/root.exe 441 0 96
2 /MSADC/root.exe 419 0 90
3 /c/winnt/system32/cmd.exe 405 0 91
4 /d/winnt/system32/cmd.exe 397 0 89
5 /scripts/..%255c../winnt/system32/cmd.exe 390 0 92
6 /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe 382 0 95
7 /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe 378 0 94
8 /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system 32/cmd.exe 373 0 103
9 /scripts/..%c1%1c../winnt/system32/cmd.exe 373 0 90
10 /scripts/..%c0%2f../winnt/system32/cmd.exe 371 0 233
11 /scripts/..%c0%af../winnt/system32/cmd.exe 370 0 89
12 /scripts/..%c1%9c../winnt/system32/cmd.exe 368 0 89
13 /scripts/..%25%35%63../winnt/system32/cmd.exe 365 0 86
14 /scripts/..%252f../winnt/system32/cmd.exe 363 0 86
15 /robots.txt 36 0 18
16 /scripts/..%255c%255c../winnt/system32/cmd.exe 2 0 0
17 /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/ system32/cmd.exe 1 0 0


WHat the hell is this >>>>????

codered or nimba, safe if you arn't microsoft :)


Originally posted by daretosucced
My only site on one of my cobalt raq4i server is barely visited.
And I don't have any files like this available for download...
but the logs show ::


Most Downloaded Files
Rank# File Hits Incomplete requests Data Transfered(KB)
1 /scripts/root.exe 441 0 96
2 /MSADC/root.exe 419 0 90
3 /c/winnt/system32/cmd.exe 405 0 91
4 /d/winnt/system32/cmd.exe 397 0 89
5 /scripts/..%255c../winnt/system32/cmd.exe 390 0 92
6 /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe 382 0 95
7 /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe 378 0 94
8 /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system 32/cmd.exe 373 0 103
9 /scripts/..%c1%1c../winnt/system32/cmd.exe 373 0 90
10 /scripts/..%c0%2f../winnt/system32/cmd.exe 371 0 233
11 /scripts/..%c0%af../winnt/system32/cmd.exe 370 0 89
12 /scripts/..%c1%9c../winnt/system32/cmd.exe 368 0 89
13 /scripts/..%25%35%63../winnt/system32/cmd.exe 365 0 86
14 /scripts/..%252f../winnt/system32/cmd.exe 363 0 86
15 /robots.txt 36 0 18
16 /scripts/..%255c%255c../winnt/system32/cmd.exe 2 0 0
17 /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/ system32/cmd.exe 1 0 0


WHat the hell is this >>>>????

AM I safe ?
WHat shall I do to stop it ?

You could use .htaccess to block requests from that IP address. Im not sure how to do that off hand though. Anyone remember?

If you do a search, someone had a really great idea how to block it dynamically in Linux. It was a couple months ago.

Ya, we get probed for /scripts all the time, we just make IP chains against the IP for temporary releif :) (Get ips form the error log file)

/sbin/ipchains -F
/sbin/ipchains -X input
/sbin/ipchains -X output
/sbin/ipchains -P input ACCEPT
/sbin/ipchains -P output ACCEPT
/sbin/ipchains -A input -s IP1 -j DENY
/sbin/ipchains -A output -d IP1 -j DENY
/sbin/ipchains -A input -s IP2 -j DENY
/sbin/ipchains -A output -d IP2 -j DENY

BUT you loose that when you reboot, you may want to run the command then insert it into /etc/rc.d/rc.local incase you have a static IP guy :)

there is a script on vbulletin.org that you put in 404 page which recognises worm and imediatley stops further service process for this hit, only work if 404 file is a php file though.

do a serch for wrom and you will find it.


have not tried as use cpanel and that use shtml for 404 pages.

We use a rewrite rule in apache that sends them to a cgi that adds their IP address to the firewall.

You only need an input deny rule by the way.

Originally posted by bitserve
We use a rewrite rule in apache that sends them to a cgi that adds their IP address to the firewall.

You only need an input deny rule by the way.


This could also be a client off yours who is infected and doesn't know it yet. Now you blocked him from your site/server ;-)