Jump to content

Recommended Posts

Posted

Ok.... I understand what causes case sensitive errors, and truly missing pages, etc.

 

I had webtrends for statistics at the previous web host and used to seeing that kind of thing, but now I have two other kinds of errors I have not seen before:

 

1) 3 pages of URLs listed as errors and they have no referers. All look like relative links. I've found most of the pages where they belong inside the proper folders. Why would I get errors when links to those pages work fine and the pages load without a problem?

 

2) The last few have no referers and are listed as:

/d/winnt/system32/cmd.exe

scripts/root.exe

/scripts/..%c0%af../winnt/system32/cmd.exe

/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe

scripts/..%c1%9c../winnt/system32/cmd.exe

 

/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe

 

/c/winnt/system32/cmd.exe

/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe

 

/MSADC/root.exe

 

I don't have now and never had a scripts directory, nor do I know why anyone or anything would be looking for the other entries. Do I need to do something to stop or avoid these errors, or just live with them?

 

Thanks for any insights folks.

 

-Samantha

Posted

those errors where in your awstats error log? All the ones you listed in number 2 are paths to folders on a windows machine, which I'm guessing would be your local machine since the servers all run linux.

Posted

Yes. The items I mentioned are in the 404 errors list in the Awstats. I have a personal account also, and have never seen them.

 

I would have thought that they were refering to my hard drive also, but I do not have any files on the site that point to my hard drive, nor do I have a scripts folder or any of the files on my hard drive that are being sought.

 

The webtrends report from the previous web host also listed 404 errors, but none that look like these. All new since moving the site this week.

 

I also have an error now showing referer is our home page, requesting:

/cgi-bin/FormMail.pl I have not set up anything in the cgi bin at all (didn't have the ability at the old host, let alone from the home page.

 

/default.ida is another new entry. Found out why ist is being searched - another worm: http://www.cotse.com/mailing-lists/ntbugtr...1/Jul/0012.html

 

-Samantha

Posted

So the brand new site is already being attacked by Nimbda??? Mad!!!

 

Is there anything I should do? The link you sent me to had a redirect to nohackerz.com but since that is not my site, where would I redirect? Or just ignore?

 

-Samantha

Posted

you can just ignore it, or set up some kind of redirect. Make a simple html page to redirect it to or something. your site is run on a linux server, so the activity that nimda is doing wont get anywhere, nimda only affects servers running IIS, it finds a server that is unpatched, replicates itself on that server and then from that server starts looking for other servers to replicate itself to.

Posted
/default.ida is another new entry. Found out why ist is being searched - another worm: http://www.cotse.com/mailing-lists/ntbugtr...1/Jul/0012.html

 

Thats the code red worm, it also affects servers running IIS, just to clarify you may already know but anyway..the two worms in question arent trying to do anything to your site, but are trying to get to the server your site is on. since Total Choice Hosting uses Apache webserver, neither of the worms will have any affect on the servers since they both target Windows based servers running IIS.

Posted

Thanks for the heads up and using servers that can't be toyed with easily. Rock Sign

 

I tried putting in redirects but not sure I did them right. Guess I will find out with time.

 

How about all the relative links....any idea here?

 

-Samantha

Posted

Sorry dont have any info for the relative URL's but someone from the support staff might.

 

Also i just noticed this one

I also have an error now showing referer is our home page, requesting:

/cgi-bin/FormMail.pl I have not set up anything in the cgi bin at all (didn't have the ability at the old host, let alone from the home page.

 

more than likely that is someone (spammer) trying to exploit some of the holes in the form mail script, thats why total choice hosting has it disabled.

Posted

okie dokie.....

 

I found anothre and it is /MSOffice/citreq.asp

 

Looks like I will just have to accept that this account is going to be flooded with attempts to get into the server in some way. Yuck!

 

Strange how I have so many on this new account (domain moved Monday) and none of them on my personal account that's been around a few months. <_<

 

Thanks.

 

-Samantha

Posted

Samantha,

the lambert domain has been around longer than your personal domain.

So that is most likely why it is being probed.

 

I see requests for variations of formail all the time,

and that is why I have never used them.

In fact I do not use the cgi-bin at all.

Posted
Theres a few steps on there for setting up a redirect

Redirects are "advice" from the web server to the client. In this case, since the client is

not a web browser (it's a malicious piece of worm code), the client will not follow the redirect.

 

Attacks against Microsoft software won't work here on TCH. TCH runs Linux. Rock Sign

Posted

Then the redirects are a waste of time.... will remove them.

 

And As I said earlier:

 

Thanks for the heads up and using servers that can't be toyed with easily.  Rock Sign

 

-Samantha :unsure:

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...