From owner-freebsd-questions Tue Nov 13 22:36:21 2001 Delivered-To: freebsd-questions@freebsd.org Received: from lv.raad.tartu.ee (lv.raad.tartu.ee [194.126.106.110]) by hub.freebsd.org (Postfix) with ESMTP id A72D237B405 for ; Tue, 13 Nov 2001 22:36:16 -0800 (PST) Received: Message by Barricade lv.raad.tartu.ee with ESMTP id fAE6aEv01550; Wed, 14 Nov 2001 08:36:14 +0200 Message-Id: <200111140636.fAE6aEv01550@lv.raad.tartu.ee> Received: from SpoolDir by INFO (Mercury 1.48); 14 Nov 01 08:35:25 +0200 From: "Toomas Aas" Organization: Tartu City Government To: freebsd-questions@FreeBSD.ORG, Chip Date: Wed, 14 Nov 2001 08:35:20 +0200 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Do these errors mean my system is comprimised? In-reply-to: <0111131938440F.60958@chip.wiegand.org> X-info: Headers changed by Barricade Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi Chip! On 13 Nov 01 at 19:38 you wrote: > I found the following on my apache/freebsd/php/mysql server in my log after > running analog - > Looks like someone planted something that wants NT to work correctly - > > 111: /scripts/..%255c../winnt/system32/cmd.exe > 111: /scripts/..%255c../winnt/system32/cmd.exe?/c+dir > 106: /scripts/..%5c../winnt/system32/cmd.exe [...snip...] Someone attempted to exploit the Nimda worm against your server. Since you are not running Microsoft IIS (I hope!), your system has nothing to fear from it (except flooding the logfiles with junk). -- Toomas Aas | toomas.aas@raad.tartu.ee | http://www.raad.tartu.ee/~toomas/ * To define recursion, we must first define recursion. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message