Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Gosh! should i be worried?

Status
Not open for further replies.
Guest_imported

Guest_imported

New member
Jan 1, 1970
0
194.182.228.5 - - [03/Nov/2001:12:49:13 -0800] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 292

something i found in my access log, Hundreds of others trying to get into my files!
i dns traced this to "bibliotek.hgmf.dk" can i do something about it?
 
Sort by date Sort by votes
No - I don't think there's too many of us that don't have that going on. The only way to get rid of it is to shutdown ALL Windoze servers. If you look at your error logs you will see that this has been going on for many months. If you are running apache on a linux platform - no problemo. If you're running windows stuff, it's more than likely, your server is part of the problem. The virus get's into NT servers and gives itself root access then attacts the e-mail system and replicates itself. It gets the server to do the same thing you are seeing on your logs. A closer look will show you that it's not just a few IPs. It's millions of them. They try for a while then move on but another one takes it's place. I think I saw a place on Microsoft's web site with fixes. But until they kill this thing the rest of us have to put up with this flooding our logs. There are ways to filter these out but it doesn't stop the problem.
 
Upvote 0 Downvote
Hi,

This is just evidence of script kiddies trying to exploit vulnerabilities on M$ Platforms by probing for IIS vulnerabilities. What its tring to do is call 'cmd.exe' on the target machine with whatever parameters are provided to do some kind of nefarious activities. If its just a 'dir' then its a only a test to see if that particular box is vulnerable to the exploit.

As RhythmAce says, if you're running Apache on a unix / linux platform then there is no 'cmd.exe' binary to run and its just an irritation filling up the logs. However, if you are running Apache on win32 there would be a theoretical exposure because the cmd.exe is there - you are reliant on the integrity of apache. Nonethless, I don't believe any such exploits have been achieved against apache even on win32. For known security exposures see -->
Hope this helps
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

SamBones
  • Locked
  • Question
How Do I Start/Stop Systemd Services as a non-root User?
Replies
2
Views
734
gbaughma
gbaughma
kristiandg
  • Locked
  • Question
Linux, "port mirror" between two boxes...
Replies
0
Views
252
kristiandg
kristiandg
Steve Bowman
  • Locked
  • Question
I have a Debian server (buster) I h
Replies
0
Views
171
Steve Bowman
Steve Bowman
Tosu
  • Locked
  • Question
hi .. i have installed linux sle
Replies
1
Views
193
ChrisHirst
ChrisHirst
spamjim
  • Locked
  • Question
Sorting out NTFS filesystem issues
Replies
0
Views
236
spamjim
spamjim

Part and Inventory Search

Sponsor

Back
Top