On Monday 08 July 2002 08:33, Peter Hickman wrote: > Paul Sumner wrote: > >In my raw logs I find several entries, such as: > > > >/scripts/root.exe?/c+dir > >/MSADC/root.exe?/c+dir > >/c/winnt/system32/comd.exe?/c+dir > >/d/winnt/system32/comd.exe?/c+dir > >/scripts/..%255c.../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir > > Yes they are worms, virii or whatever. If you are not running Windows > then you are absolutely safe from these attacks. If you are then you > have to look at the response codes. Are they failure codes such as 404, > then you are ok. If they are 200s then you have been hacked. > > Also look out for link strings of NNNNNNNNNNNNNNNNN or XXXXXXXXXXXXXXXXXXX. > > Make sure your server is patched up to date.
If it has: NNNNNNNNNNNN it's Code Red 1. XXXXXXXXXXXXX it's Code Red 2. /winnt/ it's Nimda. AAAAAAAAAAAAA it's some new worm that showed up in my web log a few days ago. Where do I report this? I tried bugtraq and the moderator ignored it. phma +------------------------------------------------------------------------ | This is the analog-help mailing list. To unsubscribe from this | mailing list, go to | http://lists.isite.net/listgate/analog-help/unsubscribe.html | | List archives are available at | http://www.mail-archive.com/[email protected]/ | http://lists.isite.net/listgate/analog-help/archives/ | http://www.tallylist.com/archives/index.cfm/mlist.7 +------------------------------------------------------------------------
