Re: Nimda


Subject: Re: Nimda
From: Matt Larson (ml582@columbia.edu)
Date: Fri Sep 21 2001 - 13:40:27 MDT


Not unless you're running MS IIS. This looks like an Apache server
being probed by an infected IIS machine.

Matt

Brian Watson wrote:

> 24.129.1.10 - - [18/Sep/2001:13:11:31 -0400] "GET
> /scripts/root.exe?/c+dir HTTP$
> 24.129.1.10 - - [18/Sep/2001:13:11:31 -0400] "GET
> /MSADC/root.exe?/c+dir HTTP/1$
> 24.129.1.10 - - [18/Sep/2001:13:11:32 -0400] "GET
> /c/winnt/system32/cmd.exe?/c+$
> 24.129.1.10 - - [18/Sep/2001:13:11:33 -0400] "GET
> /d/winnt/system32/cmd.exe?/c+$
> 24.129.1.10 - - [18/Sep/2001:13:11:34 -0400] "GET
> /scripts/..%255c../winnt/syst$
> 24.129.1.10 - - [18/Sep/2001:13:11:34 -0400] "GET
> /_vti_bin/..%255c../..%255c..$
> 24.129.1.10 - - [18/Sep/2001:13:11:35 -0400] "GET
> /_mem_bin/..%255c../..%255c..$
>
> Is this a Nimda infected machine?
>
> --Brian



This archive was generated by hypermail 2a24 : Fri Sep 21 2001 - 12:50:29 MDT