[Dshield] RE: Web server attempt
James C. Slora, Jr.
Jim.Slora at phra.com
Tue Jul 2 17:26:09 GMT 2002
Sue Young wrote on Tuesday, July 02, 2002 10:43 AM:
>This is the first time I've ever gotten hit from El Salvador - This guy is
>still hitting my web server today. This is just a sample:
>2002-07-01 22:39:02 220.127.116.11 - xxx.xxx.xxx.xxx 80 GET /scripts/root.exe
>/c+dir 404 -
The traffic you logged looks like plain old Nimda.
It's dangerous, but it is probably not a conscious attack (Nimda repeats
these 16 steps, with the same exploit attempts you logged). Even if it is a
manual attack, the same protections apply - keep your IIS or PWS patched and
locked down, block attackers IPs if desired, report it to the attacker's ISP
as a Nimda infection if you want.
More information about the list