security problem, fix?

Posted on 2003-02-24
Medium Priority
Last Modified: 2012-05-04
I'm getting a lot of GET requests from one particular IP addy, but I'm not sure what he's trying to do.  Here's some of the log entries: - - [24/Feb/2003:13:46:57 -0600] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 284 - - [24/Feb/2003:13:46:58 -0600] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 282 - - [24/Feb/2003:13:46:59 -0600] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292 - - [24/Feb/2003:13:47:00 -0600] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292 - - [24/Feb/2003:13:47:00 -0600] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306 - - [24/Feb/2003:13:47:02 -0600] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 323 - - [24/Feb/2003:13:47:03 -0600] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 323 - - [24/Feb/2003:13:47:03 -0600] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 339 - - [24/Feb/2003:13:47:04 -0600] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305 - - [24/Feb/2003:13:47:04 -0600] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305 - - [24/Feb/2003:13:47:05 -0600] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305 - - [24/Feb/2003:13:47:05 -0600] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305 - - [24/Feb/2003:13:47:06 -0600] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 296 - - [24/Feb/2003:13:47:07 -0600] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 296 - - [24/Feb/2003:13:47:08 -0600] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306 - - [24/Feb/2003:13:47:09 -0600] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306


Please tell me what he's doing and what I can do to stop anything malicious.  I'm running XP with the latest Apache.


(This questions worth a lot of points)

Question by:yodaj007
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment

Accepted Solution

linxit earned 480 total points
ID: 8015401

This is the NIMDA worm in action - basically someone is running a non-patched IIS server which has been compromised by NIMDA and is trying to attack you. Don't worry, Apache is immune to it.

The patch has been available now for over a year so there's no excuse really on their part.

Unfortunately the hostname attached to that IP address (pcp02763091pcs.pthurn01.mi.comcast.net) suggests it's just a home user who probably doesn't even know he's running a webserver.


Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are running a LAMP infrastructure, this little code snippet is very helpful if you are serving lots of HTML, JavaScript and CSS-related information. The mod_deflate module, which is part of the Apache 2.2 application, provides the DEFLATE…
Over the last year I have answered a couple of basic URL rewriting questions several times so I thought I might as well have a stab at: explaining the basics, providing a few useful links and consolidating some of the most common queries into a sing…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses
Course of the Month12 days, 22 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question