Anyone seen these in their logs lately
216.129.13.39 - - [18/Sep/2001:08:20:19 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 212 "" ""
216.129.13.39 - - [18/Sep/2001:08:20:20 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 212 "" ""
216.95.249.5 - - [18/Sep/2001:08:24:22 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 212 "" ""
216.95.249.5 - - [18/Sep/2001:08:24:23 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 212 "" ""
I've seen these every once in a while but today
it comes from alot of different IP addresses and it seem
to mimic the default.ida attacks such that you
see it from all random ip addresses and its every
few seconds.
I wonder if this is another virus which now executes this
command from servers affected.
Or could it be someone is IP spoofing and fooling
aolserver to log a different Ip address in the logs?
--
Freddie Mendoza
[EMAIL PROTECTED]
Search Engine for Cheap Books
http://satori.com/cheapbooks
