Is this Nimda probing ?
From: Fred Koschara (wfredk@L5Development.NOSPAM.com)Date: 12/23/01
- Next message: hash: "Re: one SSH better then the other?"
- Previous message: Fred Koschara: "Is this Nimda probing ?"
- Next in thread: Martin Hammer: "Re: Is this Nimda probing ?"
- Reply: Martin Hammer: "Re: Is this Nimda probing ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: wfredk@L5Development.NOSPAM.com (Fred Koschara) Date: Sun, 23 Dec 2001 20:29:13 GMT
(what an idiot - I didn't include the log listings - thwack!)
Ever since our (new, FreeBSD) server was connected to the Internet, blocks of
entries such as those shown below have been showing up in our error log. After
looking through the articles in this newsgroup, my suspicion that they are
caused by a Nimda-infected system is reinforced, but not confirmed.
If this is indeed Nimda, should I be reporting this activity? (If it's not,
what is it?) Are there any other steps I should be taking?
TIA
-- Fred
----------------------- begin log listings ------------------------
[Sun Dec 23 10:40:58 2001] [error] [client 208.58.173.20] File does not exist:
/web/studiolines/www/scripts/root.exe
[Sun Dec 23 10:40:58 2001] [error] [client 208.58.173.20] File does not exist:
/web/studiolines/www/MSADC/root.exe
[Sun Dec 23 10:40:59 2001] [error] [client 208.58.173.20] File does not exist:
/web/studiolines/www/c/winnt/system32/cmd.exe
[Sun Dec 23 10:40:59 2001] [error] [client 208.58.173.20] File does not exist:
/web/studiolines/www/d/winnt/system32/cmd.exe
[Sun Dec 23 10:40:59 2001] [error] [client 208.58.173.20] File does not exist:
/web/studiolines/www/scripts/..%5c../winnt/system32/cmd.exe
[Sun Dec 23 10:40:59 2001] [error] [client 208.58.173.20] File does not exist:
/web/studiolines/www/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Sun Dec 23 10:40:59 2001] [error] [client 208.58.173.20] File does not exist:
/web/studiolines/www/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Sun Dec 23 10:40:59 2001] [error] [client 208.58.173.20] File does not exist:
/web/studiolines/www/msadc/..%5c../..%5c../..%5c/..<C1>^\../..<C1>^\../..<C1>^\
../winnt/system32/
cmd.exe
[Sun Dec 23 10:40:59 2001] [error] [client 208.58.173.20] File does not exist:
/web/studiolines/www/scripts/..<C1>^\../winnt/system32/cmd.exe
[Sun Dec 23 10:41:00 2001] [error] [client 208.58.173.20] File does not exist:
/web/studiolines/www/scripts/..<C0><AF>../winnt/system32/cmd.exe
[Sun Dec 23 10:41:00 2001] [error] [client 208.58.173.20] File does not exist:
/web/studiolines/www/scripts/..<C1><9C>../winnt/system32/cmd.exe
[Sun Dec 23 10:41:00 2001] [error] [client 208.58.173.20] File does not exist:
/web/studiolines/www/scripts/..%5c../winnt/system32/cmd.exe
[Sun Dec 23 10:41:00 2001] [error] [client 208.58.173.20] File does not exist:
/web/studiolines/www/scripts/..%2f../winnt/system32/cmd.exe
------------------------ end log listings -------------------------
- Next message: hash: "Re: one SSH better then the other?"
- Previous message: Fred Koschara: "Is this Nimda probing ?"
- Next in thread: Martin Hammer: "Re: Is this Nimda probing ?"
- Reply: Martin Hammer: "Re: Is this Nimda probing ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
