Welcome to MobyThreads.com!
FAQFAQ   SearchSearch      ProfileProfile    Private MessagesPrivate Messages   Log in/Register/PasswordLog in/Register/Password
All support for the MobyThreads Threaded phpBB MOD can now be found on welsolutions at this forum

attempted intrusion?

  
   Web Hosting and Web Master Forums (Home) -> Apache RSS
Next:  Apache: Apache Server side include character limits  
Author Message
colin2

External


Since: Jul 11, 2003
Posts: 11



(Msg. 1) Posted: Sat Jul 12, 2003 2:29 am
Post subject: attempted intrusion?
Archived from groups: alt>apache>configuration (more info?)
hi, I just installed and configured apache for the first time today, and
this evening I was reviewing my access log, and I saw this...

62.31.250.64 - - [11/Jul/2003:14:52:33 +0100] "GET
/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+copy+c:\\winnt\\system32\\c
md.exe+c:\\inetpub\\scripts\\script.exe HTTP/1.1" 404 333

does anyone what this is, what it means, and moreover, is it serious? i'm
quite new to this. any help would be much appreciated.

thanks

r.

 >> Stay informed about: attempted intrusion? 
Back to top
Login to vote
ian4

External


Since: Jul 30, 2003
Posts: 35



(Msg. 2) Posted: Sat Jul 12, 2003 2:29 am
Post subject: Re: attempted intrusion? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Whilst lounging around on Fri, 11 Jul 2003 23:29:48 +0100, "rusty"
<colin@#j0o.com> amazingly managed to produce the following with
their Etch-A-Sketch:

 > hi, I just installed and configured apache for the first time
 > today, and this evening I was reviewing my access log, and I saw
 > this...
 >
 > 62.31.250.64 - - [11/Jul/2003:14:52:33 +0100] "GET
 > /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+copy+c:\\winnt\\sys
 > tem32\\c md.exe+c:\\inetpub\\scripts\\script.exe HTTP/1.1" 404 333
 >
 > does anyone what this is, what it means, and moreover, is it
 > serious? i'm quite new to this. any help would be much
 > appreciated.
 >
 > thanks
 >
 > r.
 >


Nimda.



Regards,

Ian

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPw8+Omfqtj251CDhEQJvSwCffvH2Xl+++mpgYlW8i5iy144WHhEAoNmt
CSqEBaFwCN6h8r27qXMTBwTK
=ZUSq
-----END PGP SIGNATURE-----

--
Ian.H [Design & Development]
digiServ Network - Web solutions
<a style='text-decoration: underline;' href="http://www.digiserv.net" target="_blank">www.digiserv.net</a> | irc.digiserv.net | forum.digiserv.net
Programming, Web design, development & hosting.<!-- ~MESSAGE_AFTER~ -->

 >> Stay informed about: attempted intrusion? 
Back to top
Login to vote
nospam173

External


Since: Jul 02, 2003
Posts: 52



(Msg. 3) Posted: Sat Jul 12, 2003 2:29 am
Post subject: Re: attempted intrusion? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
On Fri, 11 Jul 2003 23:29:48 +0100, The Other Guy responded to a post
from "rusty" <colin@#j0o.com> who wrote in alt.apache.configuration:

 >hi, I just installed and configured apache for the first time today, and
 >this evening I was reviewing my access log, and I saw this...
 >
 >62.31.250.64 - - [11/Jul/2003:14:52:33 +0100] "GET
 >/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+copy+c:\\winnt\\system32\\c
 >md.exe+c:\\inetpub\\scripts\\script.exe HTTP/1.1" 404 333
 >
 >does anyone what this is, what it means, and moreover, is it serious? i'm
 >quite new to this. any help would be much appreciated.
 >
 >thanks
 >
 >r.
 >


As noted by Ian, it is the nimda worm.

See <a style='text-decoration: underline;' href="http://httpd.apache.org/docs/misc/FAQ.html#codered" target="_blank">http://httpd.apache.org/docs/misc/FAQ.html#codered</a>
<a style='text-decoration: underline;' href="http://www.apacheweek.com/issues/01-09-21#news" target="_blank">http://www.apacheweek.com/issues/01-09-21#news</a>
<a style='text-decoration: underline;' href="http://www.cert.org/advisories/CA-2001-26.html" target="_blank">http://www.cert.org/advisories/CA-2001-26.html</a>

As well as searching google for the keyword "nimda".

Regards,
TOG

--
../configure --prefix=~/zyterion
Not this guy or that guy, The Other Guy.

This spot may contain a satirical comment or comedic source,
and is meant to be funny. If you are easily offended, gullible
or don't have a sense of humour we suggest you read elsewhere.<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: attempted intrusion? 
Back to top
Login to vote
Display posts from previous:   
   Web Hosting and Web Master Forums (Home) -> Apache All times are: Pacific Time (US & Canada) (change)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



[ Contact us | Terms of Service/Privacy Policy ]