[Xitami] Error log shows hacking attempts?

[Paul Reid]

> GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir

This is an attempt to exploit a bug in MS IIS webserver. The syntax
is incorrect and should be refused (and Xitami refuses it without
any problem). In unpatched IIS, it runs the NT-DOS command-line
processor and allows arbitrary commands to be run. "dir" is an
innocent command, but if they get a response to that you may expect
a hacker to come back and try something malicious.

However, network owners are now doing scans like this. Today my
bosses are throwing a few dozen such "hack attacks" against all
machines on campus, and will notify owners if they see trouble. So
it may be your "friends at the ISP" rather than hackers.

> GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN......

This is CodeRed or Nimda. These send a very-long request. A proper
piece of software will either take the whole thing or truncate it
and refuse it. In unpatched MS IIS, the gibberish at the end
overflows data space into code space, overwrites part of the
program, and infects it with the virus (that gibberish is Intel CPU
machine code). This attack is very specific to IIS: the same code
injected into any other software would not do what was planned, and
generally causes lockup or crash. In Xitami, the buffer does not
overflow and it simply logs the request and the fact that it didn't
make sense.

> the reason why I am occasionally coming home to find my Xitami
> with an internal error that requires a restart?

No. As long as you have enough disk space for all the crap that
piles up in logs these days, Xitami is not bothered by any of the
crack-attacks shown in your logs. Say what version of Xitami (please
do NOT say "latest version"!!!) and what Windows or other O/S you
run it on.

 -PRR