To prevent it? No, that's an infected client. You are on Windows Server
2003 AND they are 404'ing. You have nothing to worry about
--
--Jonathan Maltz [Microsoft MVP - Windows Server]
<a style='text-decoration: underline;' href="http://www.visualwin.com" target="_blank">http://www.visualwin.com</a> - A Windows Server 2003 visual, step-by-step
tutorial site
<a style='text-decoration: underline;' href="http://vpc.visualwin.com" target="_blank">http://vpc.visualwin.com</a> - Does <insert OS name> work on VPC 2004? Find out
here
Only reply by newsgroup. Any emails I have not authorized are deleted
before I see them.
"Steve" <anonymous DeleteThis @discussions.microsoft.com> wrote in message
news:028201c3dac5$02cc45e0$a101280a@phx.gbl...
> Hey all,
>
> Thanks in advance for your help.
>
> Over the past couple days, I've been getting some
> interesting activity on the Web Logs. The IP address
> rotates but the theme is the same....trying to get a
> command window open.
>
> I run Windows 2003 Server.
>
> This is what I'm seeing...(I took out the IP address...)
>
> GET /scripts/root.exe - (OFFENDING IP) HTTP/1.0 - - 404 0
> GET /c/winnt/system32.cmd.exe - (OFFENDING IP) HTTP/1.0 -
> - 404 0
> GET /scripts/winnt/system32/cmd.exe - (OFFENDING IP)
> HTTP/1.0 - - 404 0
> GET /_mem_bin/..%5c../..%5c../..%
> 5c../winnt/system32/cmd.exe - (OFFENDING IP) HTTP/1.0 - -
> 404 0
>
> And so on.....within a 30 second time frame there could
> be anywhere from 15-60 attempts...
>
> All are rejected as 404 errors.
>
> Since they are rejected as 404...I know they aren't
> getting in right? Is there anything else I can do to
> prevent this? Should I be worried?<!-- ~MESSAGE_AFTER~ -->
FAQ
Profile
Private Messages
Log in
