Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Hacking attempt on m y site

Status
Not open for further replies.
italy

italy

Programmer
Joined
Feb 13, 2001
Messages
162
Location
US
Could any one tell me what this request trying to do and did he succeded to invate my site becuse I see the request directly without any buffer over flow attempt or some thing "/d/winnt/system32/cmd.exe?/c+dir" this is in my log file .Thank you
 
Sort by date Sort by votes
here is another line as well

/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir what he was trying to put in here %%35c
 
Upvote 0 Downvote
Are you running IIS? If you haven't patched it in the past couple days, then you probably have the Nimda worm. Go to and look for information on the Nimda worm. Please do so ASAP, because this one does some nasty things, including flooding your local IP block with requests looking for other systems to infect.

It also attaches a virus attempt to every web page served, which is automatically executed by IE 5.0, or 5.5, unless patched with Service Pack 2.
 
Upvote 0 Downvote
HI!

Seems to me more like one of the CODE RED variations, which is running on the server that tries to access yours.

Check the log entries for the HTTP return code.
It it's 404 then probably your server refuesd the request.
Also try to browse to:
where x.x.x.x is your server IP address.
(If they are open, you server is infected or was infected but wasn't totaly fixed).

Also make sure you have installed the latest SP and security patches from MS ,
and that you are running an updated anti virus program on the server.

Bye
Yizhar
Yizhar Hurwitz
 
Upvote 0 Downvote
can you tell me what this request trying to do and which command try to run .thanks
 
Upvote 0 Downvote
This is a computer trying to see if you have any servers that are vulnerable to Nimda. Even if you are fully patched/not vulnerable, you are going to see these requests - and A LOT of them. My home network has over 21000 requests for cmd.exe alone in the last few days.

This is nothing to fear as long as you have no IIS servers or they are completely patched. It is the same idea as the CodeRed worm, where an infected server will scan other hosts on its own and other networks to see if they are vulnerable.

Just make sure you are not vulnerable and if it is severely affecting your network performance, talk to your upstream provider and have them block cmd.exe, msadc and readme.eml.

CodeRed scans look like this:
xxx.xxx.xxx.xxx - - [21/Sep/2001:20:50:56 -0400] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 284

Just make sure you are getting 404 HTTP status codes...

Hope this helps,
Paul
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
2
  • Locked
  • Question Question
Loss of my privacy
Replies
12
Views
2K
Rick998
Rick998
Impersonator
  • Locked
  • Question Question
UDP Hacking port 53
Replies
1
Views
463
RodneyMcSnow
RodneyMcSnow
PauS0n
  • Locked
  • Question Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
455
PauS0n
PauS0n
mcisar
  • Locked
  • Question Question
Disable CHAP on PPPoE WAN connection
Replies
0
Views
379
mcisar
mcisar

Part and Inventory Search

Sponsor

Back
Top