If you see a log entry that looks like
> This log entry (and other like it): > 01:26:12 203.173.177.17 GET /scripts/..%5c../winnt/system32/cmd.exe 200 You have been hit! The Nimda worm makes use of a hole that was patched in Win2K Sp2. It looks like you do not already have the patch. The hole is a bug in IIS (Can of worms) where it did not realise %5c was a slash and promptly allowed access to the machine outside of a virtual directory. It has nothing to do with setting up virtual directories to the system32 directory. Regards, Dennis. > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Thursday, 4 October 2001 16:43 > To: Multiple recipients of list offtopic > Subject: Re: [DUG-OFFTOPIC]: tftp.exe - Continued > > > > The place is usual winnt\system32. > > This log entry (and other like it): > 01:26:12 203.173.177.17 GET /scripts/..%5c../winnt/system32/cmd.exe 200 > > show that there is (or was) a cmd.exe that could successfully > be reached via an HTTP get to your IIS server. > > If you don't have a rogue copy of cmd.exe sitting in your > scripts directory (or someplace downstream from your document root) > then perhaps you have a "virtual directory" defined > that maps your \winnt\system32 directory to an accessible > webserver path. You could check for this by looking in > your IIS configuration. > > The above log entry is pretty convincing. A file called cmd.exe > is/was "reachable" via GET. A properly constructed GET with > parameters could send that cmd.exe any command it wanted to. > > -ns > > > This address was used for last 2 days. Before there were > others. Each used > > around 40 times, then another address is taken. > > > > 203.173.177.17 belongs to IHUG but what exactly it is I do not know. > > it could just be some other IHUG subscriber with an infected workstation > running IIS that hits you while you're both dialed into the ISP. > > Nimda probes "similar" IP addresses with higher probability than > random addresses - so it tends to attack "neighbors". > > -ns > > ------------------------------------------------------------------ > --------- > New Zealand Delphi Users group - Offtopic List - [EMAIL PROTECTED] > Website: http://www.delphi.org.nz > To UnSub, send email to: [EMAIL PROTECTED] > with body of "unsubscribe offtopic" > Web Archive at: http://www.mail-archive.com/offtopic%40delphi.org.nz/ --------------------------------------------------------------------------- New Zealand Delphi Users group - Offtopic List - [EMAIL PROTECTED] Website: http://www.delphi.org.nz To UnSub, send email to: [EMAIL PROTECTED] with body of "unsubscribe offtopic" Web Archive at: http://www.mail-archive.com/offtopic%40delphi.org.nz/
