> The place is usual winnt\system32.
This log entry (and other like it):
01:26:12 203.173.177.17 GET /scripts/..%5c../winnt/system32/cmd.exe 200
show that there is (or was) a cmd.exe that could successfully
be reached via an HTTP get to your IIS server.
If you don't have a rogue copy of cmd.exe sitting in your
scripts directory (or someplace downstream from your document root)
then perhaps you have a "virtual directory" defined
that maps your \winnt\system32 directory to an accessible
webserver path. You could check for this by looking in
your IIS configuration.
The above log entry is pretty convincing. A file called cmd.exe
is/was "reachable" via GET. A properly constructed GET with
parameters could send that cmd.exe any command it wanted to.
-ns
> This address was used for last 2 days. Before there were others. Each used
> around 40 times, then another address is taken.
>
> 203.173.177.17 belongs to IHUG but what exactly it is I do not know.
it could just be some other IHUG subscriber with an infected workstation
running IIS that hits you while you're both dialed into the ISP.
Nimda probes "similar" IP addresses with higher probability than
random addresses - so it tends to attack "neighbors".
-ns
---------------------------------------------------------------------------
New Zealand Delphi Users group - Offtopic List - [EMAIL PROTECTED]
Website: http://www.delphi.org.nz
To UnSub, send email to: [EMAIL PROTECTED]
with body of "unsubscribe offtopic"
Web Archive at: http://www.mail-archive.com/offtopic%40delphi.org.nz/
