On Thu, 17 Jan 2002, Marc Suxdorf wrote: > Hi everyone > > I have to administer our small company network in my spare time which > hopefully explains my little security knowledge... > I have just come across a scary entry in our Windows 2000 Server Internet > Information Services 5.0 log: > > 2002-01-17 10:52:31 62.161.107.167 - 10.10.1.1 80 GET /scripts/root.exe > /c+dir 403 www - > 2002-01-17 10:52:46 62.161.107.167 - 10.10.1.1 80 GET /MSADC/root.exe /c+dir > 403 www - > 2002-01-17 10:52:54 62.161.107.167 - 10.10.1.1 80 GET > /c/winnt/system32/cmd.exe /c+dir 403 www - > 2002-01-17 10:53:03 62.161.107.167 - 10.10.1.1 80 GET > /d/winnt/system32/cmd.exe /c+dir 403 www - > 2002-01-17 10:53:18 62.161.107.167 - 10.10.1.1 80 GET > /scripts/..%5c../winnt/system32/cmd.exe /c+dir 403 www - > > Is someone currently executing terrible things on our server?
looks like nimda?
