Re: Nimda

Subject: Re: Nimda
From: Brian Watson (bcwatso1@uiuc.edu)
Date: Fri Sep 21 2001 - 14:06:55 MDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Alan R Barker: "Re: Mozilla 0.9.4-2 on YDL2"
• Previous message: Jim Jagielski: "Re: Nimda"
• In reply to: Jim Jagielski: "Re: Nimda"
• Next in thread: Chuq Von Rospach: "Re: Nimda"
• Reply: Brian Watson: "Re: Nimda"

>If you're running Apache (and with YDL you are) then you're not
>"infected". rather, infection was attempted.
>
>At 2:35 PM -0500 9/21/01, Brian Watson wrote:
>>>24.129.1.10 - - [18/Sep/2001:13:11:31 -0400] "GET
>>>/scripts/root.exe?/c+dir HTTP$
>>>24.129.1.10 - - [18/Sep/2001:13:11:31 -0400] "GET
>>>/MSADC/root.exe?/c+dir HTTP/1$
>>>24.129.1.10 - - [18/Sep/2001:13:11:32 -0400] "GET
>>>/c/winnt/system32/cmd.exe?/c+$
>>>24.129.1.10 - - [18/Sep/2001:13:11:33 -0400] "GET
>>>/d/winnt/system32/cmd.exe?/c+$
>>>24.129.1.10 - - [18/Sep/2001:13:11:34 -0400] "GET
>>>/scripts/..%255c../winnt/syst$
>>>24.129.1.10 - - [18/Sep/2001:13:11:34 -0400] "GET
>>>/_vti_bin/..%255c../..%255c..$
>>>24.129.1.10 - - [18/Sep/2001:13:11:35 -0400] "GET
>>>/_mem_bin/..%255c../..%255c..$
>>>
>>>Is this a Nimda infected machine?
>>>
>>>--Brian
>>
>>Does anyone have a good nimda script? my access log has over 14k
>>lines of nimda attempts in the past two days!! :(
>>
>--Brian

I was ambiguous. I know I can't get infected. My question was if it
was Nimda code. I hadn't seen it before, but that's what I suspected
it to be.

Robert, Do you have the URL to the old code red script? I lost
everything for YDL when I formatted my Linux partition.

--Brian

• Next message: Alan R Barker: "Re: Mozilla 0.9.4-2 on YDL2"
• Previous message: Jim Jagielski: "Re: Nimda"
• In reply to: Jim Jagielski: "Re: Nimda"
• Next in thread: Chuq Von Rospach: "Re: Nimda"
• Reply: Brian Watson: "Re: Nimda"

This archive was generated by hypermail 2a24 : Fri Sep 21 2001 - 13:18:01 MDT