That's Nimda. If you are remotely current on patches, then you aren't vulnerable.
>From the log you posted it looks like you aren't vulnerable. If you had been, then they wouldn't have all been 403/404's (anyone know about the 500's that showed up, though?) and the unicode characters would have been logged as '/' instead of %5c, etc.. Here's a page on nimda, with a web server log excerpt that should look familiar. http://www.ntsecrets.com/info/nimda.htm > -----Original Message----- > From: Steve Weitzman [mailto:[EMAIL PROTECTED]] > Sent: Monday, July 01, 2002 10:14 PM > To: [EMAIL PROTECTED] > Subject: log question > > > Over the last few days I have seen the same 15 or so lines appear in my > MS2000 web logs several times. They are obvious hack attempts. > What I need to know is whether this is a new exploit or one that I am already patched > against. I have what I believe to be the latest patches from the Microsoft website. >
