RE: Simple log question...
I have all the latest updates and patches on the system -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Monday, December 08, 2003 4:18 PM To: CF-Talk Subject: RE: Simple log question... > What are these entries in my log files? > am I bing attacked? Yes, you're being attacked. > If so how do I stop it . I use IIS > > /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - > /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - > /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - > /scripts/..%2f../winnt/system32/cmd.exe /c+dir 500 - If your server is properly configured (and therefore isn't responding to the attack) you can safely ignore it. There are plenty of automated script attacks like this, and trying to track them down and make them stop is probably more trouble than it's worth in most cases. The attack is very likely coming from an already-infected host, rather than directly from an attacker. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Simple log question...
> What are these entries in my log files? > am I bing attacked? Yes, you're being attacked. > If so how do I stop it . I use IIS > > /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - > /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - > /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - > /scripts/..%2f../winnt/system32/cmd.exe /c+dir 500 - If your server is properly configured (and therefore isn't responding to the attack) you can safely ignore it. There are plenty of automated script attacks like this, and trying to track them down and make them stop is probably more trouble than it's worth in most cases. The attack is very likely coming from an already-infected host, rather than directly from an attacker. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Simple log question...
> What are these entries in my log files? > am I bing attacked? Yes, you're being attacked. > If so how do I stop it . I use IIS > > /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - > /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - > /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - > /scripts/..%2f../winnt/system32/cmd.exe /c+dir 500 - If your server is properly configured (and therefore isn't responding to the attack) you can safely ignore it. There are plenty of automated script attacks like this, and trying to track them down and make them stop is probably more trouble than it's worth in most cases. The attack is very likely coming from an already-infected host, rather than directly from an attacker. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: Simple log question...
This looks like nimda or one of the many variants. So yes, you are being attacked, but if you're patched up, it really shouldn't affect anything. You could ban the ip at your firewall, but if there's a chance you'll ban valid traffic as well. marlon Jim T wrote: > What are these entries in my log files? > am I bing attacked? > If so how do I stop it . I use IIS > > /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - > /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - > /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - > /scripts/..%2f../winnt/system32/cmd.exe /c+dir 500 - > [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Simple log question...
What are these entries in my log files? am I bing attacked? If so how do I stop it . I use IIS /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - /scripts/..%2f../winnt/system32/cmd.exe /c+dir 500 - [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]