I looked at the error logs for my site ( http://www.highboard.com , hosted on site5.com ) and happened to notice than one IP address had seen errors like this:

/home/highboar/public_html/scripts/..À¯../winnt/system32/cmd.exe

about 10 consecutive times within the space of about a minute. It looks suspicious to me, but then I really don't know what it is...

any ideas?

If you're on a linux box, there is no need to worry.

Had a heap of those myself, it's just the 'script kiddies' trying to find something open.


Lats...

It's not script kiddies. It's either the Code Red or NIMDA worm trying to propagate. The people that are affected usually don't know their computer is infected and are not trying to intentionally do any damage. This only affects some versions of IIS, so if you're on a UNIX or Linux server, there's nothing to worry about. Just ignore it.

Err... No I think that is the code red virus or nimda. Search the forum for cmd.exe or code red or nimda. You will find similar results.

Yes, it's NIMDA worm as ToastyX said. If you are in UNIX/LINUX then dont worry. but it is really annoying, when you see lots of attempts made to infect the server.

Yep @ a virus trying to propogate.

Basically this exploits abig dumb ass security hole that microsoft left in iis for many many versions... you can access any file on the computer by doing the 'root exploit' (dont know what its called under M$-oses so ill use the linux term).

So all you NT-hosters beware!!! And move to some sort of *nix host today and sleep more soundly at night :stickout :

Yes that is Nimda as everyone said. Don't worry if you're on Unix/Linux. Never got into our Windows servers :cool:

i have these on my site too .. its annoying as hell i was actually thinking of creating a small script in that particular location to send something NICE to the user :)

regards,
n.

Originally posted by netguy
i have these on my site too .. its annoying as hell i was actually thinking of creating a small script in that particular location to send something NICE to the user :)

regards,
n.

haha, what did you have in mind?

How come everyone makes worms and virii to infect microsoft's software :)

hmm .. how about take the ip of the user , do a nmap on it , display the results to the guy trying ..so he gets a message like


hello dear.
you are trying to hack me but you have these ports open :)

regards,
n.

haha

Originally posted by netguy
hmm .. how about take the ip of the user , do a nmap on it , display the results to the guy trying ..so he gets a message like


hello dear.
you are trying to hack me but you have these ports open :)

regards,
n.

Thats missing the whole point! This is a self propogating WORM.. re-read ToastyX's post. Perhaps something like:

To whom it may concern:

Your server is infected with Code Red / Nimda!

http://linktopatch.microsoft.com

....

JDF, that link does not work. Thought I'd tell you..

My goodness! You're so literal. :) He just used that as an example address.

I hate those too, they really piss me off while I'm manually scanning my logs ;)

I got a filler file named "cmd.exe" and "default.ida" (chmod 644) on my server and it says "This isn't what you're looking for is it?"

Serving 49 bytes is a lot more efficient than serving my dynamic 404 pages over and over IMO.

I want to try to write a php script or do something with htaccess, (if possible) that if a specific file is requested, it shows a special 'error' page. ;)

just my senseless rambling :)