[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Raq4 Intrusion

Subject: Re: [cobalt-users] Raq4 Intrusion
From: "Jelmer Jellema" <cobalt@xxxxxxxxxxxxxxx>
Date: Thu Feb 14 03:01:56 2002
Organization: Spin in het Web (www.spininhetweb.nl)
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

>
> Hi
> Any ideas on nature of this intrusion:-
>  "GET /scripts/root.exe?/c+dir HTTP/1.0" 302 228 "-" "-"
>  "GET /MSADC/root.exe?/c+dir HTTP/1.0" 302 226 "-" "-"
>  "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 236 "-" "-"
>  "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 236 "-" "-"

etc. etc.

This is code red, isn't it. A virus that lives in microsoft webservers. The
real question is: anyone got a good idea to get rid of them?

For now, I just try make webalizer to ignore lines like that by putting in:

IgnoreURL       /scripts/..*

Just to get more realistic hitcounts for them. Not really succesful. It
seams webalizer is counting not found hits (which I think is strange).

But in the meantime logs are overflowing, and this virus just does not seem
to die.

Any thoughts?

Jelmer
-----------------------------------------------------------------
  Jelmer Jellema - Spin in het Web
  www.spininhetweb.nl
  Spin in het Web: Alle Touwtjes In Handen
-----------------------------------------------------------------

Spin in het Web is de producent van:
www.visinhetnet.nl: Niet Het Laatste Nieuws

References:
- [cobalt-users] Raq4 Intrusion
  - From: lewis . tim

Prev by Date: RE: [cobalt-users] Help! The case of the disapearing remote Raq3...
Next by Date: Re: [cobalt-users] Site admin user only logs into user web directory after OS 2 update
Previous by thread: [cobalt-users] Raq4 Intrusion
Next by thread: Re: [cobalt-users] Raq4 Intrusion

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index