Strange User Tracking entries - Help!

[Mark Russell]

These very strange URLs appear on my user tracking page in Admin as the point of entry to my website. I've now seen these for a couple of days and they usually appear as multiple sessions over a short timeframe. Like a spider? Example below. User Tracking is showing these as pages on MY site and not as referring URLs. The host listed is the referer and the time/URL is what is supposedly the entry point of my site.

 

Any ideas what this is?

 

Thanks, Mark

 

Host: 211.239.35.104 09:31:20: /scripts/root.exe?/c+dir

Host: 211.239.35.104 09:31:23: /MSADC/root.exe?/c+dir

Host: 211.239.35.104 09:31:25: /c/winnt/system32/cmd.exe?/c+dir

Host: 211.239.35.104 09:31:33: /scripts/..%255c../winnt/system32/cmd.exe?/c+dir

[burt]

This is script kiddies trying to access files on your server. There is a well known exploit on Windows servers which uses these particular files.

 

If you are on a *nix server, just ignore them - if you are on a Win server, speak with your server admin to make sure the box is patched.

[burt]

I've just checked, if you are talking about your tights site, the server is:

 

Server: Apache/1.3.27 Ben-SSL/1.48 (Unix) mod_dtcl mod_python/2.7.6 Python/2.1.2 mod_throttle/2.11 mod_perl/1.27 PHP/4.2.3 FrontPage/4.0.4.3 rus/PL30.16

 

So you are fine, just ignore those entries...

[Mark Russell]

Thanks, burt. I figured as much - the Windows calls and knowing that my host was strictly Unix.

 

Is there a way to block these with rewrite_mod using RewriteCondition on the UA and a rewrite rule to send them packing?

 

M