Samrc Posted July 24, 2003 Posted July 24, 2003 Ok.... I understand what causes case sensitive errors, and truly missing pages, etc. I had webtrends for statistics at the previous web host and used to seeing that kind of thing, but now I have two other kinds of errors I have not seen before: 1) 3 pages of URLs listed as errors and they have no referers. All look like relative links. I've found most of the pages where they belong inside the proper folders. Why would I get errors when links to those pages work fine and the pages load without a problem? 2) The last few have no referers and are listed as: /d/winnt/system32/cmd.exe scripts/root.exe /scripts/..%c0%af../winnt/system32/cmd.exe /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe scripts/..%c1%9c../winnt/system32/cmd.exe /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe /c/winnt/system32/cmd.exe /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe /MSADC/root.exe I don't have now and never had a scripts directory, nor do I know why anyone or anything would be looking for the other entries. Do I need to do something to stop or avoid these errors, or just live with them? Thanks for any insights folks. -Samantha Quote
leezard Posted July 24, 2003 Posted July 24, 2003 those errors where in your awstats error log? All the ones you listed in number 2 are paths to folders on a windows machine, which I'm guessing would be your local machine since the servers all run linux. Quote
Samrc Posted July 24, 2003 Author Posted July 24, 2003 Yes. The items I mentioned are in the 404 errors list in the Awstats. I have a personal account also, and have never seen them. I would have thought that they were refering to my hard drive also, but I do not have any files on the site that point to my hard drive, nor do I have a scripts folder or any of the files on my hard drive that are being sought. The webtrends report from the previous web host also listed 404 errors, but none that look like these. All new since moving the site this week. I also have an error now showing referer is our home page, requesting: /cgi-bin/FormMail.pl I have not set up anything in the cgi bin at all (didn't have the ability at the old host, let alone from the home page. /default.ida is another new entry. Found out why ist is being searched - another worm: http://www.cotse.com/mailing-lists/ntbugtr...1/Jul/0012.html -Samantha Quote
leezard Posted July 24, 2003 Posted July 24, 2003 (edited) found this thread on another forum, might be what your seeing in your error logs, from the sounds of it it's the nimda worm thats doing it. Theres a few steps on there for setting up a redirect whenever that file is trying to be accessed. http://forums.devshed.com/t49234/sbd163976...25832f84b7.html Edited July 24, 2003 by leezard Quote
leezard Posted July 24, 2003 Posted July 24, 2003 heres another one with a little more info http://forums.devshed.com/showthread.php?s...ghlight=cmd.exe Quote
Samrc Posted July 24, 2003 Author Posted July 24, 2003 So the brand new site is already being attacked by Nimbda??? Mad!!! Is there anything I should do? The link you sent me to had a redirect to nohackerz.com but since that is not my site, where would I redirect? Or just ignore? -Samantha Quote
leezard Posted July 24, 2003 Posted July 24, 2003 you can just ignore it, or set up some kind of redirect. Make a simple html page to redirect it to or something. your site is run on a linux server, so the activity that nimda is doing wont get anywhere, nimda only affects servers running IIS, it finds a server that is unpatched, replicates itself on that server and then from that server starts looking for other servers to replicate itself to. Quote
leezard Posted July 24, 2003 Posted July 24, 2003 /default.ida is another new entry. Found out why ist is being searched - another worm: http://www.cotse.com/mailing-lists/ntbugtr...1/Jul/0012.html Thats the code red worm, it also affects servers running IIS, just to clarify you may already know but anyway..the two worms in question arent trying to do anything to your site, but are trying to get to the server your site is on. since Total Choice Hosting uses Apache webserver, neither of the worms will have any affect on the servers since they both target Windows based servers running IIS. Quote
Samrc Posted July 24, 2003 Author Posted July 24, 2003 Thanks for the heads up and using servers that can't be toyed with easily. Rock Sign I tried putting in redirects but not sure I did them right. Guess I will find out with time. How about all the relative links....any idea here? -Samantha Quote
leezard Posted July 24, 2003 Posted July 24, 2003 Sorry dont have any info for the relative URL's but someone from the support staff might. Also i just noticed this one I also have an error now showing referer is our home page, requesting:/cgi-bin/FormMail.pl I have not set up anything in the cgi bin at all (didn't have the ability at the old host, let alone from the home page. more than likely that is someone (spammer) trying to exploit some of the holes in the form mail script, thats why total choice hosting has it disabled. Quote
Samrc Posted July 24, 2003 Author Posted July 24, 2003 okie dokie..... I found anothre and it is /MSOffice/citreq.asp Looks like I will just have to accept that this account is going to be flooded with attempts to get into the server in some way. Yuck! Strange how I have so many on this new account (domain moved Monday) and none of them on my personal account that's been around a few months. Thanks. -Samantha Quote
TCH-Don Posted July 25, 2003 Posted July 25, 2003 Samantha, the lambert domain has been around longer than your personal domain. So that is most likely why it is being probed. I see requests for variations of formail all the time, and that is why I have never used them. In fact I do not use the cgi-bin at all. Quote
idallen Posted July 25, 2003 Posted July 25, 2003 Theres a few steps on there for setting up a redirect Redirects are "advice" from the web server to the client. In this case, since the client is not a web browser (it's a malicious piece of worm code), the client will not follow the redirect. Attacks against Microsoft software won't work here on TCH. TCH runs Linux. Rock Sign Quote
Samrc Posted July 25, 2003 Author Posted July 25, 2003 Then the redirects are a waste of time.... will remove them. And As I said earlier: Thanks for the heads up and using servers that can't be toyed with easily. Rock Sign -Samantha Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.