[Dshield] RE: Web server attempt

James C. Slora, Jr. Jim.Slora at phra.com
Tue Jul 2 17:26:09 GMT 2002


Sue Young wrote on Tuesday, July 02, 2002 10:43 AM:

>This is the first time I've ever gotten hit from El Salvador -  This guy is
>still hitting my web server today.  This is just a sample:

>2002-07-01 22:39:02 63.81.37.110 - xxx.xxx.xxx.xxx 80 GET /scripts/root.exe
>/c+dir 404 -
<snip>

The traffic you logged looks like plain old Nimda.

It's dangerous, but it is probably not a conscious attack (Nimda repeats
these 16 steps, with the same exploit attempts you logged). Even if it is a
manual attack, the same protections apply - keep your IIS or PWS patched and
locked down, block attackers IPs if desired, report it to the attacker's ISP
as a Nimda infection if you want.

- Jim




More information about the list mailing list