Paul Sumner <[EMAIL PROTECTED]> wrote: > In my raw logs I find several entries, such as: > > /scripts/root.exe?/c+dir > /MSADC/root.exe?/c+dir > /c/winnt/system32/comd.exe?/c+dir > /d/winnt/system32/comd.exe?/c+dir > /scripts/..%255c.../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir > > Etc. Etc. > > Are these hack attempts?
Not in the sense that anyone is deliberately targeting your site. > If not, what are they? These are requests by the nimda worm, coming from servers that are still infected a year after the holes that it exploits were patched. It tries at random to find servers that will accept these requests, and then copies itself to those servers, and starts them randomly searching for other vulnerable servers. > Should I assume that my webhost is blocking these attempts? If these entries show up on your Request report (indicating they have a "success" status code) you should be worried. (and ashamed of yourself, if you're responsible for the server, but that's another matter!). If they only show up in your failure report, they can be safely ignored as just part of the "noise" that's out there these days. > How would I recognize if an attempt is successful > (other than seeing profanity on my website)? A truly successful attempt would remove any traces of itself from the log files. Obviously, if you see any strange entries (like those above) on your request report, rather than your failure report, you should be worried. Aengus +------------------------------------------------------------------------ | This is the analog-help mailing list. To unsubscribe from this | mailing list, go to | http://lists.isite.net/listgate/analog-help/unsubscribe.html | | List archives are available at | http://www.mail-archive.com/analog-help@lists.isite.net/ | http://lists.isite.net/listgate/analog-help/archives/ | http://www.tallylist.com/archives/index.cfm/mlist.7 +------------------------------------------------------------------------
