From owner-freebsd-questions Mon Nov 19 13:30:39 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mcqueen.wolfsburg.de (pns.wobline.de [212.68.68.5]) by hub.freebsd.org (Postfix) with ESMTP id 4818237B416 for ; Mon, 19 Nov 2001 13:30:32 -0800 (PST) Received: from colt.ncptiddische.net (ppp-318.wobline.de [212.68.71.39]) by mcqueen.wolfsburg.de (8.11.3/8.11.3/tw-20010821) with ESMTP id fAJLUNO11608; Mon, 19 Nov 2001 22:30:23 +0100 Received: from jodie.ncptiddische.net (jodie.ncptiddische.net [192.168.0.2]) by colt.ncptiddische.net (8.11.6/8.11.6) with ESMTP id fAJLV0t16380; Mon, 19 Nov 2001 22:31:00 +0100 (CET) (envelope-from nils@tisys.org) Received: from jodie.ncptiddische.net (jodie.ncptiddische.net [192.168.0.2]) by jodie.ncptiddische.net (8.11.6/8.11.6) with ESMTP id fAJLVFR04822; Mon, 19 Nov 2001 22:31:15 +0100 (CET) (envelope-from nils@tisys.org) Date: Mon, 19 Nov 2001 22:31:15 +0100 (CET) From: Nils Holland To: ann kok Cc: freebsd-questions@FreeBSD.ORG Subject: Re: apache's log In-Reply-To: <20011119205857.39148.qmail@web20101.mail.yahoo.com> Message-ID: <20011119222958.A4720-100000@jodie.ncptiddische.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG What you are seeing in your log comes from the Nimbda / Code Red worms. Luckily, these worms can only do harm to (unprotected) Microsoft Windows / IIS based machines. Assuming that you are running Apache on FreeBSD, you can rest assured: These worms cannot to any harm to you. Greetings Nils On Mon, 19 Nov 2001, ann kok wrote: > Hi all > > I would like to know whether my web server is > comprising by the following log message > > How do I know it? > > Thank you very much > > 203.64.184.144 - - [20/Nov/2001:00:17:18 +0800] "GET > /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir > HTTP/1.0 > " 404 304 > 203.64.184.144 - - [20/Nov/2001:00:17:19 +0800] "GET > /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir > HTTP/1.0 > " 404 304 > 203.64.184.144 - - [20/Nov/2001:00:17:22 +0800] "GET > /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir > HTTP/1.0 > " 404 304 > 203.64.184.144 - - [20/Nov/2001:00:17:26 +0800] "GET > /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir > HTTP/1. > 0" 400 288 > 203.64.184.144 - - [20/Nov/2001:00:17:33 +0800] "GET > /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir > HTTP/1.0" > 400 288 > 203.64.184.144 - - [20/Nov/2001:00:17:34 +0800] "GET > /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir > HTTP/ > 1.0" 404 305 > 203.64.184.144 - - [20/Nov/2001:00:17:40 +0800] "GET > /scripts/..%252f../winnt/system32/cmd.exe?/c+dir > HTTP/1.0" > 404 305 > industry.ssu.ac.kr - - [20/Nov/2001:01:21:34 +0800] > "-" 408 - > industry.ssu.ac.kr - - [20/Nov/2001:01:22:58 +0800] > "-" 408 - > industry.ssu.ac.kr - - [20/Nov/2001:01:24:29 +0800] > "-" 408 - > industry.ssu.ac.kr - - [20/Nov/2001:01:25:59 +0800] > "-" 408 - > industry.ssu.ac.kr - - [20/Nov/2001:01:27:30 +0800] > "-" 408 - > industry.ssu.ac.kr - - [20/Nov/2001:01:29:00 +0800] > "-" 408 - > industry.ssu.ac.kr - - [20/Nov/2001:01:30:30 +0800] > "-" 408 - > industry.ssu.ac.kr - - [20/Nov/2001:01:32:01 +0800] > "-" 408 - > industry.ssu.ac.kr - - [20/Nov/2001:01:33:31 +0800] > "-" 408 - > industry.ssu.ac.kr - - [20/Nov/2001:01:35:02 +0800] > "-" 408 - > industry.ssu.ac.kr - - [20/Nov/2001:01:36:32 +0800] > "-" 408 - > industry.ssu.ac.kr - - [20/Nov/2001:01:38:03 +0800] > "-" 408 - > > __________________________________________________ > Do You Yahoo!? > Find the one for you at Yahoo! Personals > http://personals.yahoo.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > > > Nils Holland Ti Systems - FreeBSD in Tiddische, Germany http://www.tisys.org * nils@tisys.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message