Could any one tell me what this request trying to do and did he succeded to invate my site becuse I see the request directly without any buffer over flow attempt or some thing "/d/winnt/system32/cmd.exe?/c+dir" this is in my log file .Thank you
and look for information on the Nimda worm. Please do so ASAP, because this one does some nasty things, including flooding your local IP block with requests looking for other systems to infect.
It also attaches a virus attempt to every web page served, which is automatically executed by IE 5.0, or 5.5, unless patched with Service Pack 2.
This is a computer trying to see if you have any servers that are vulnerable to Nimda. Even if you are fully patched/not vulnerable, you are going to see these requests - and A LOT of them. My home network has over 21000 requests for cmd.exe alone in the last few days.
This is nothing to fear as long as you have no IIS servers or they are completely patched. It is the same idea as the CodeRed worm, where an infected server will scan other hosts on its own and other networks to see if they are vulnerable.
Just make sure you are not vulnerable and if it is severely affecting your network performance, talk to your upstream provider and have them block cmd.exe, msadc and readme.eml.
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.