I'm getting them too. They are comming from NT machines with IIS that are
infected with either the nimda or code red worms (I don't remember which.)
The host 216.151.92.2 is trying to run an app on your box. IF your box were
NOT a linux, but NT based with IIS and unpatched, you would then be infected
youself. I get them about every 30-45 seconds, depending on the time of day
(more in the evening when traffic is heavier.) My log files got huge during
the infection rate explosion. I now periodically strip out these entries.
These infected machines will probably find their entire hard drive(s) shared
with read write access to the world. Pretty scary stuff. Be thankful you
are using linux (I hope.)
----- Original Message -----
From: "Mike Manchester" <mchester@yahoo.com>
To: "slug" <slug@nks.net>
Sent: Friday, October 26, 2001 7:44 AM
Subject: [SLUG] What does this mean
> I'm seeing a lot of these in my webservers access log file. What are
> they?
> 216.151.92.2 - - [26/Oct/2001:07:08:23 -0400] "GET
> /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298 "-"
> "-"
>
> Is someone trying to hack my web server?
>
> Mike M
>
>
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 15:49:19 EDT