RE: [OT] Some one executing windows commands in Tomcat 4.1.18.
There is someone from xx.xx.xx.xx trying to use an IIS vulnerability. If it's realy intranet your admin should have a look at the offending pc if it is infected by a virus. (Not shure out of the head if this is nimda, code red or what else) This vulnerability is not affecting tomcat. -Original Message- From: Antony paul [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 2:11 PM To: tomcat mail list Subject: [OT] Some one executing windows commands in Tomcat 4.1.18. I have Tomcat standalone running on a local Intranet. The server is windows 2000 SP2. Today while checking the access log files I found the following lines xx.xx.xx.xx - - [11/Aug/2003:09:47:38 5050] GET /scripts/root.exe?/c+dir - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [OT] Some one executing windows commands in Tomcat 4.1.18.
this is just an IIS worm ( Nimda I think ) on someone else's server, sending requests to yours. You can see that all the requests are returning a 404. Almost everyone sees this at some stage. Don't worry about it. steph -Original Message- From: Antony paul [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 8:11 AM To: tomcat mail list Subject: [OT] Some one executing windows commands in Tomcat 4.1.18. Hello, I have Tomcat standalone running on a local Intranet. The server is windows 2000 SP2. Today while checking the access log files I found the following lines xx.xx.xx.xx - - [11/Aug/2003:09:47:38 5050] GET /scripts/root.exe?/c+dir HTTP/1.0 404 716 xx.xx.xx.xx - - [11/Aug/2003:09:47:43 5050] GET /MSADC/root.exe?/c+dir HTTP/1.0 404 710 What does this mean ? Is there any vulnerability in Tomcat or this combination ?. I have uncommented the invoker servlet in web.xml. Is it creating the problem ?. regards Antony Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [OT] Some one executing windows commands in Tomcat 4.1.18.
It's in the intranet right ? Should be easy to track down :) Antony paul wrote: Hello, I have Tomcat standalone running on a local Intranet. The server is windows 2000 SP2. Today while checking the access log files I found the following lines xx.xx.xx.xx - - [11/Aug/2003:09:47:38 5050] GET /scripts/root.exe?/c+dir HTTP/1.0 404 716 xx.xx.xx.xx - - [11/Aug/2003:09:47:43 5050] GET /MSADC/root.exe?/c+dir HTTP/1.0 404 710 What does this mean ? Is there any vulnerability in Tomcat or this combination ?. I have uncommented the invoker servlet in web.xml. Is it creating the problem ?. regards Antony Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [OT] Some one executing windows commands in Tomcat 4.1.18.
Althoug it is an intranet application Tomcat is listening on the public IP address accessible from internet(temporary arrangement) and the IP address in the log is out side the intranet but of same ISP. The IIS is not running but we have some other web server program(probably apache) which listens on this IP address. - Original Message - From: Ralph Einfeldt [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 2:08 PM Subject: RE: [OT] Some one executing windows commands in Tomcat 4.1.18. There is someone from xx.xx.xx.xx trying to use an IIS vulnerability. If it's realy intranet your admin should have a look at the offending pc if it is infected by a virus. (Not shure out of the head if this is nimda, code red or what else) This vulnerability is not affecting tomcat. -Original Message- From: Antony paul [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 2:11 PM To: tomcat mail list Subject: [OT] Some one executing windows commands in Tomcat 4.1.18. I have Tomcat standalone running on a local Intranet. The server is windows 2000 SP2. Today while checking the access log files I found the following lines xx.xx.xx.xx - - [11/Aug/2003:09:47:38 5050] GET /scripts/root.exe?/c+dir - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [OT] Some one executing windows commands in Tomcat 4.1.18.
This is the age old IIS worm working its magic. It's either Code Red or Code Red 2 or whatever. In any case, you can safely ignore it if Tomcat is the one reporting it. And unfortunately, you're unlikely to get anywhere by trying to contact the offending server owner or ISP. Just ignore it, as long as you're not using IIS, or you have IIS patched up. MT Antony paul wrote: Althoug it is an intranet application Tomcat is listening on the public IP address accessible from internet(temporary arrangement) and the IP address in the log is out side the intranet but of same ISP. The IIS is not running but we have some other web server program(probably apache) which listens on this IP address. - Original Message - From: Ralph Einfeldt [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 2:08 PM Subject: RE: [OT] Some one executing windows commands in Tomcat 4.1.18. There is someone from xx.xx.xx.xx trying to use an IIS vulnerability. If it's realy intranet your admin should have a look at the offending pc if it is infected by a virus. (Not shure out of the head if this is nimda, code red or what else) This vulnerability is not affecting tomcat. -Original Message- From: Antony paul [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 2:11 PM To: tomcat mail list Subject: [OT] Some one executing windows commands in Tomcat 4.1.18. I have Tomcat standalone running on a local Intranet. The server is windows 2000 SP2. Today while checking the access log files I found the following lines xx.xx.xx.xx - - [11/Aug/2003:09:47:38 5050] GET /scripts/root.exe?/c+dir - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [OT] Some one executing windows commands in Tomcat 4.1.18.
That 404 means they got a page not found error. This is just some script kiddie looking for problems. I wouldn't worry about it. If you want to creat a servlet mapping that grabs these requests and then pipes them off into the lala land of the never-ending-connection, please do. It would help reduce their effect on the rest of the net. --Angus -Original Message- From: Antony paul [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 8:11 AM To: tomcat mail list Subject: [OT] Some one executing windows commands in Tomcat 4.1.18. Hello, I have Tomcat standalone running on a local Intranet. The server is windows 2000 SP2. Today while checking the access log files I found the following lines xx.xx.xx.xx - - [11/Aug/2003:09:47:38 5050] GET /scripts/root.exe?/c+dir HTTP/1.0 404 716 xx.xx.xx.xx - - [11/Aug/2003:09:47:43 5050] GET /MSADC/root.exe?/c+dir HTTP/1.0 404 710 What does this mean ? Is there any vulnerability in Tomcat or this combination ?. I have uncommented the invoker servlet in web.xml. Is it creating the problem ?. regards Antony Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [OT] Some one executing windows commands in Tomcat 4.1.18.
Then contact your ISP's abuse center and tell them that a machine on their network is infected. That's the only way it will go away, otherwise you will keep seeing it. John Antony paul wrote: Althoug it is an intranet application Tomcat is listening on the public IP address accessible from internet(temporary arrangement) and the IP address in the log is out side the intranet but of same ISP. The IIS is not running but we have some other web server program(probably apache) which listens on this IP address. - Original Message - From: Ralph Einfeldt [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 2:08 PM Subject: RE: [OT] Some one executing windows commands in Tomcat 4.1.18. There is someone from xx.xx.xx.xx trying to use an IIS vulnerability. If it's realy intranet your admin should have a look at the offending pc if it is infected by a virus. (Not shure out of the head if this is nimda, code red or what else) This vulnerability is not affecting tomcat. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
