Re: Nimda

Subject: Re: Nimda
From: Jim Jagielski (jimydog@jaguNET.com)
Date: Fri Sep 21 2001 - 13:57:50 MDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Brian Watson: "Re: Nimda"
• Previous message: nathan_buck: "Re: Nimda"
• In reply to: Brian Watson: "Re: Nimda"
• Next in thread: Brian Watson: "Re: Nimda"
• Next in thread: Chuq Von Rospach: "Re: Nimda"
• Reply: Jim Jagielski: "Re: Nimda"

If you're running Apache (and with YDL you are) then you're not
"infected". rather, infection was attempted.

At 2:35 PM -0500 9/21/01, Brian Watson wrote:
>>24.129.1.10 - - [18/Sep/2001:13:11:31 -0400] "GET /scripts/root.exe?/c+dir HTTP$
>>24.129.1.10 - - [18/Sep/2001:13:11:31 -0400] "GET /MSADC/root.exe?/c+dir HTTP/1$
>>24.129.1.10 - - [18/Sep/2001:13:11:32 -0400] "GET /c/winnt/system32/cmd.exe?/c+$
>>24.129.1.10 - - [18/Sep/2001:13:11:33 -0400] "GET /d/winnt/system32/cmd.exe?/c+$
>>24.129.1.10 - - [18/Sep/2001:13:11:34 -0400] "GET /scripts/..%255c../winnt/syst$
>>24.129.1.10 - - [18/Sep/2001:13:11:34 -0400] "GET /_vti_bin/..%255c../..%255c..$
>>24.129.1.10 - - [18/Sep/2001:13:11:35 -0400] "GET /_mem_bin/..%255c../..%255c..$
>>
>>Is this a Nimda infected machine?
>>
>>--Brian
>
>Does anyone have a good nimda script? my access log has over 14k lines of nimda attempts in the past two days!! :(
>
>--Brian

-- 
===========================================================================
   Jim Jagielski   [|]   jim@jaguNET.com   [|]   http://www.jaguNET.com/
      "A society that will trade a little liberty for a little order
                   will lose both and deserve neither"

• Next message: Brian Watson: "Re: Nimda"
• Previous message: nathan_buck: "Re: Nimda"
• In reply to: Brian Watson: "Re: Nimda"
• Next in thread: Brian Watson: "Re: Nimda"
• Next in thread: Chuq Von Rospach: "Re: Nimda"
• Reply: Jim Jagielski: "Re: Nimda"

This archive was generated by hypermail 2a24 : Fri Sep 21 2001 - 13:07:48 MDT