From owner-freebsd-questions  Tue Nov 13 19:59:53 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from chmls16.mediaone.net (chmls16.mediaone.net [24.147.1.151])
	by hub.freebsd.org (Postfix) with ESMTP id 2C3B437B405
	for <freebsd-questions@FreeBSD.org>; Tue, 13 Nov 2001 19:59:46 -0800 (PST)
Received: from keyslapper.org (acadia.ne.mediaone.net [65.96.186.69])
	by chmls16.mediaone.net (8.11.1/8.11.1) with ESMTP id fAE3xdT04400;
	Tue, 13 Nov 2001 22:59:40 -0500 (EST)
Received: (from leblanc@localhost)
	by keyslapper.org (8.11.6/8.11.6) id fAE40uC26804;
	Tue, 13 Nov 2001 23:00:56 -0500 (EST)
	(envelope-from leblanc)
Date: Tue, 13 Nov 2001 23:00:56 -0500
From: Louis LeBlanc <leblanc+freebsd@keyslapper.org>
To: freebsd-questions@FreeBSD.org, freebsd-questions@FreeBSD.org
Subject: Re: Do these errors mean my system is comprimised?
Message-ID: <20011114040055.GB25941@keyslapper.org>
Reply-To: freebsd-questions@FreeBSD.org
Mail-Followup-To: freebsd-questions@FreeBSD.ORG
References: <0111131938440F.60958@chip.wiegand.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="pvezYHf7grwyp3Bc"
Content-Disposition: inline
In-Reply-To: <0111131938440F.60958@chip.wiegand.org>
User-Agent: Mutt/1.3.23.1i
X-PGP-Fingerprint: 4EA2 24FF 41B0 0258 9A54  9309 7803 D662 B364 4562
X-bright-idea: Lets abolish HTML mail!
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG


--pvezYHf7grwyp3Bc
Content-Type: text/plain; charset=unknown-8bit
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 11/13/01 07:38 PM, Chip sat at the `puter and typed:
> I found the following on my apache/freebsd/php/mysql server in my log aft=
er=20
> running analog -
> Looks like someone planted something that wants NT to work correctly -
> =20
>  111: /scripts/..%255c../winnt/system32/cmd.exe
>  111:   /scripts/..%255c../winnt/system32/cmd.exe?/c+dir
>  106: /scripts/..%5c../winnt/system32/cmd.exe
>  106:   /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
>   66: /scripts/root.exe
>   66:   /scripts/root.exe?/c+dir
>   64: /MSADC/root.exe
>   64:   /MSADC/root.exe?/c+dir
>   62: /c/winnt/system32/cmd.exe
>   62:   /c/winnt/system32/cmd.exe?/c+dir
>   59: /d/winnt/system32/cmd.exe
>   59:   /d/winnt/system32/cmd.exe?/c+dir
>   56: /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe
>   56:   /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c=
+dir
>   56:=20
> /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt=
/system32/cmd.exe
>   56:  =20
> /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt=
/system32/cmd.exe?/c+dir
>   56: /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe
>   56:   /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c=
+dir
>   55: /scripts/..%c1%1c../winnt/system32/cmd.exe
>   55:   /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir
>   54: /scripts/winnt/system32/cmd.exe
>   54:   /scripts/winnt/system32/cmd.exe?/c+dir
>   54: /scripts/..%c1%9c../winnt/system32/cmd.exe
>   54:   /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir
>   54: /scripts/..%c0%af../winnt/system32/cmd.exe
>   54:   /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir
>   51: /scripts/..%252f../winnt/system32/cmd.exe
>   51:   /scripts/..%252f../winnt/system32/cmd.exe?/c+dir


This  is the  footprint of  the Nimda  virus *trying*  to infect  your
system. You can find links to specific  info on what Nimda tries to do
on Google, if you  want to sort thru a million hits.  You can also get
info on  how an Apache  installation can  handle these (or  not handle
them) at http://www.keyslapper.org/modules/

Look for the  Apache::Nimda page, even if you don't  want to report it
to abuse and SecurityFocus, there are  config ideas that will help you
reduce the impact on your log file size.

Also, look for the Apache::404 module. It will handle those misses and
notify you via email  - once per period for each URL.  It can help you
keep track of Nimda's impact on  your server, and keep dead links tied
up.

Enough of the shameless plug.  Check it out.

HTH
Lou
--=20
Louis LeBlanc               leblanc@keyslapper.org
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://www.keyslapper.org                     =D4=BF=D4=AC

Bershere's Formula for Failure:
  There are only two kinds of people who fail: those who
  listen to nobody... and those who listen to everybody.

--pvezYHf7grwyp3Bc
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE78ex3eAPWYrNkRWIRAtVaAJ0U4V8SAxzA+R15aX7D6UrCIjyycQCcCb37
iubnYGQtOzpVctnRxbC155s=
=e3Wa
-----END PGP SIGNATURE-----

--pvezYHf7grwyp3Bc--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message