Alex,
Hi. We put a machine on the internet for 12 hours and the next morning recorded over 2000 of these hits. We traced one of them back to a Korean web site (Sam Sung) and was promptly notified by Norton Antivirus that the web server had been infected by the Nimda worm. Check your logs and if replies are 500 or 404, the worm hasn't managed to get in. root.exe is a result of Code Red II. It copies cmd.exe to a number of different places, renaming it to root.exe along the way. The Nimda worm has many ways of replication and one of them is to hit this vulnerability left by Code Red II. The good news is if you have all the latest patches, and haven't been infected by Code Red before, you are quite safe against Nimda. BTW, you can change the port number that IIS listens on and still continue your ASP test, as Nimda and Code Red always hits port 80. If you use NT, you also have the option of blocking port 80 (but still have it accessible to localhost). Regards, Dennis. > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Thursday, 4 October 2001 15:16 > To: Multiple recipients of list offtopic > Subject: Re: [DUG-OFFTOPIC]: tftp.exe - Continued > > > > I think the patch isn't enough if you have command shells lying around > > in places where they can be reached via a URL into your document root. > > Since I used IIS for local ASP testing only, I have simply de-installed it > for now. > > > I'm not sure how you find them all. They won't always be called > cmd.exe - CodeRed left something called root.exe (I think). > > I checked all cmd.exes around, they are all the same. I scanned _all_ exes > trying to find any simular to cmd.exe (by matching some of its internals). > Nothing simular. All I have original cmd.exes. No root.exes around. > > If _it_ is there then where is it ? > > Could it be so that outside NIMDA was trying to get a bad > admin.dll down to > me by somehow running my cmd.exe/tftp.exe, but never succeeded ? > How did it do it ? > Why did not it succeed ? > > What is the purpose of this request logged by my IIS ? > 02:25:11 203.173.177.17 GET /scripts/..%2f../Admin.dll 500 > > I got this entry all over my IIS log files for last 2 weeks. > Is this to check if infected admin.dll finaly got to my PC ? > > Regards > Alex > > > > > ------------------------------------------------------------------ > --------- > New Zealand Delphi Users group - Offtopic List - [EMAIL PROTECTED] > Website: http://www.delphi.org.nz > To UnSub, send email to: [EMAIL PROTECTED] > with body of "unsubscribe offtopic" > Web Archive at: http://www.mail-archive.com/offtopic%40delphi.org.nz/ --------------------------------------------------------------------------- New Zealand Delphi Users group - Offtopic List - [EMAIL PROTECTED] Website: http://www.delphi.org.nz To UnSub, send email to: [EMAIL PROTECTED] with body of "unsubscribe offtopic" Web Archive at: http://www.mail-archive.com/offtopic%40delphi.org.nz/
