> On Thu, Nov 20, 2003 at 11:23:27PM -0500, Linux Rocks! wrote: > so... ive noticed this before in my webserver logs... > 68.50.124.251 - - [20/Nov/2003:23:07:12 -0500] "GET > /scripts/..%%35c../winnt/ > system32/cmd.exe?/c+dir HTTP/1.0" 400 292
Someone just has a script/program that's scanning for IIS 5.0 exploits. There are a number of exploits that allow you to execute arbitrary commands using cmd.exe. Roughly, from your log entry, they're trying to run cmd.exe with the /c switch, which means run cmd.exe and execute the command(s) contained in the string following the /c switch. In this case, your Apache logs either truncated the rest, or they were just seeing if they got something or a 403 (which would likely indicate a patched machine). /jgw _______________________________________________ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug
