Just Another Blog

Are you thinking what I'm thinking?

Thursday, July 08, 2004

Worm!

My Windows (IIS) box was under worm attrack! The worm was Nimda and it had already generated about 215 hits.

Apparently it was trying to find my cmd.exe so as to take control of my Windows box. A few samples appeared in the Error 404 statistics:

  • /msadc/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe
  • /exchange/check.bat/..%5c..%5c..%5cwinnt/system32/cmd.exe
  • /_mem_bin/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe
  • /_vti_bin/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe
  • /exchange/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe
  • /cgi/check.bat/..%5c..%5c..%5cwinnt/system32/cmd.exe
  • /PBServer/check.bat/..%5c..%5c..%5cwinnt/system32/cmd.exe
  • /cgi/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe
  • /scripts/..%5c..%5cwinnt/system32/cmd.exe

1 Comments:

Note that troll and spam comments will be deleted without any notification.

  • At 5/26/2005 07:44:00 am, Blogger Gary W. Longsine said…

    Attacks like these persist on the internet. I've seen Apache users who use re-write rules to redirect these attacks to /dev/null on UNIX systems, and one person with a sense of humor who redirected them to microsoft.com. That's rude, but really pretty funny, in a slipped-on-a-banana-peel sorta way. I probably shouldn't admit that.

    /gary
    Intrinsic Security: AntiWorm Defense In Depth

     

Post a Comment

<< Home