Exploit? All access_logs contains ../winnt/system32/cmd.exe?/c+dir

[133tcamel]

Hi,
I was viewing access logs for some of my domains hosted on different servers running apache.. to my amazement the access_log for every domain contains multiple entries that look like this:

GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0

two of these domains haven't been even publicized (since we're not done working on the content), so there shouldn't be any traffic and still I found repeated access entries like the one I've shown above. Is this some kinda apache exploit somebody trying on my server? Or is it some poorly written search bot (or a site like intersteer.com) trying to find out something?

Do you know anything about this? ---
cheers!
san

"The universe has been expanding, and Perl's kind of been expanding along with the universe" - Larry Wall

 

[sleipnir214]

It's Win32 internet worms, trying to infect your box. They're IIS-specific, so Apache doesn't have a problem with them.

You can block them using Apache directives or firewall reconfiguration. Want the best answers? Ask the best questions:

http://www.tuxedo.org/~esr/faqs/smart-questions.html

TANSTAAFL!

 

[bwilliam13]

I'm pretty sure what you're seeing is Code Red scans. Nothing to worry about on a *unix/apache box.

 

[133tcamel]

thanks guys! great to hear that its harmless

BTW I knows its the wrong forum but just curious if IIS can be infected like this? I mean all the worm is trying to do is GET a file? If you can infect a web server by simply GETing a file from it, then thats pretty pathetic :/ ---
cheers!
san

"The universe has been expanding, and Perl's kind of been expanding along with the universe" - Larry Wall

 

[rosenk]

I believe the GET is just the first step. If that succeeds it will go further than that.

 

[SDMguru]

"ou can block them using Apache directives or firewall reconfiguration."

How do you block them? I'm on a XP platform. They are very annoying when you look through your access logs.