Printable View
Hey all-I got an Apache Server up and running and it seems to work fine. The odd thing is the error log states over and over and over that cmd.exe does not exist with the occational root.exe does not exist. It also gives the IP of what is trying to acces it. I traced one IP and it led to S. America, another led to Texas. Anyone know what these 2 things are for and why they are trying to be accessed? Anyone else run into this? BTW I'm running Apache on a 2K machine....
Thanks
Which port on these requests coming in on? These may be attempts by worms such as Code Red or Nimda to access IIS vulnerabilities.
Not sure what port-but here is the exact log message (last 4 entries):
[Tue Oct 02 09:30:15 2001] [error] [client 216.240.143.231] File does not exist: c:/program files/apache group/apache/htdocs/wwwroot/scripts/..À¯/winnt/system32/cmd.exe
[Tue Oct 02 09:30:16 2001] [error] [client 216.240.143.231] File does not exist: c:/program files/apache group/apache/htdocs/wwwroot/scripts/..Áœ/winnt/system32/cmd.exe
[Tue Oct 02 09:30:18 2001] [error] [client 216.240.143.231] File does not exist: c:/program files/apache group/apache/htdocs/wwwroot/scripts/..%5c/winnt/system32/cmd.exe
[Tue Oct 02 09:30:18 2001] [error] [client 216.240.143.231] File does not exist: c:/program files/apache group/apache/htdocs/wwwroot/scripts/..%2f/winnt/system32/cmd.exe
who ever it was was trying to get in to teh command line and make changes on the server or to down load stuff. are you on NT or 98? I would change teh port # and get a firewall. or make an .htaccess to lock that directory to certain people.
I'm running 2K. I think it's Code Red trying to get in. There are 3 different sets of IP numbers, so I'm pretty sure 3 different infected servers are trying to attack me lol. Lucky me!
yeah but code red attacks IIS servers if I'm not mistaken, not apache.
It attacks any web server; the attack is only successful on IIS. So these could be Code Red/Nimda.