Re: [cobalt-users] Extensive Hack Attack - Was C drive hack

["Imme Networks Administration" <admin@xxxxxxxxxxx>]

This is Nimda, we are affected by it and there seems to be no patch unless
you want to pay for it as of right now.  It is only effecting NT machines.

Frank
----- Original Message -----
From: "Nell Bolen" <nell@xxxxxxxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Tuesday, September 18, 2001 11:53 AM
Subject: Re: [cobalt-users] Extensive Hack Attack - Was C drive hack


>
>
> David Thurman wrote:
>
> > on 9-18-01 8:49 AM, Paul Alcock at webmgr@xxxxxxxxxxxxxxxxxx was
reported to
> > have made a statement that said this:
> >
> > >> I am getting a lot of these logged on every IP routed to my
> > >> machine that has
> > >> a site.
> > >>
> > >> www.site.com 216.234.235.118 - - [18/Sep/2001:06:49:52 -0700] "GET
> > >> /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215
"-" "-"
> > >>
> > >> www.site.com 216.234.199.92 - - [18/Sep/2001:06:51:19 -0700] "GET
> > >> /MSADC/root.exe?/c+dir HTTP/1.0" 302 231 "-" "-"
> > >>
> > >> www.adifferentsite.com 66.12.10.51 - - [18/Sep/2001:06:51:16 -0700]
"GET
> > >> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302
> > >> 254 "-" "-"
> > > Ditto, the frequency is much worse than code red or code red II
> > > I'm guessing that I'm logging more than 100 per minute.
> > > Major pain. Anyway to detect the origin or at least a waypoint?
> > >
> > >
> > > --sig
> > > Paul Alcock
>
> Ditto, we are too. What do the lines mean exactly? Since 9 a.m. and still
going
> on I guess, my log shows tons of calls like this from the same IP, and
also very
> many different IPs doing the multi calls. Please enlighten, and thank you.
>
> Regards, Nell Bolen
>
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>