Mark Russell Posted December 2, 2002 Share Posted December 2, 2002 These very strange URLs appear on my user tracking page in Admin as the point of entry to my website. I've now seen these for a couple of days and they usually appear as multiple sessions over a short timeframe. Like a spider? Example below. User Tracking is showing these as pages on MY site and not as referring URLs. The host listed is the referer and the time/URL is what is supposedly the entry point of my site. Any ideas what this is? Thanks, Mark Host: 211.239.35.104 09:31:20: /scripts/root.exe?/c+dir Host: 211.239.35.104 09:31:23: /MSADC/root.exe?/c+dir Host: 211.239.35.104 09:31:25: /c/winnt/system32/cmd.exe?/c+dir Host: 211.239.35.104 09:31:33: /scripts/..%255c../winnt/system32/cmd.exe?/c+dir Link to comment Share on other sites More sharing options...
burt Posted December 2, 2002 Share Posted December 2, 2002 This is script kiddies trying to access files on your server. There is a well known exploit on Windows servers which uses these particular files. If you are on a *nix server, just ignore them - if you are on a Win server, speak with your server admin to make sure the box is patched. Link to comment Share on other sites More sharing options...
burt Posted December 2, 2002 Share Posted December 2, 2002 I've just checked, if you are talking about your tights site, the server is: Server: Apache/1.3.27 Ben-SSL/1.48 (Unix) mod_dtcl mod_python/2.7.6 Python/2.1.2 mod_throttle/2.11 mod_perl/1.27 PHP/4.2.3 FrontPage/4.0.4.3 rus/PL30.16 So you are fine, just ignore those entries... Link to comment Share on other sites More sharing options...
Mark Russell Posted December 2, 2002 Author Share Posted December 2, 2002 Thanks, burt. I figured as much - the Windows calls and knowing that my host was strictly Unix. Is there a way to block these with rewrite_mod using RewriteCondition on the UA and a rewrite rule to send them packing? M Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.