Just Another Blog

Are you thinking what I'm thinking?

Thursday, July 08, 2004


My Windows (IIS) box was under worm attrack! The worm was Nimda and it had already generated about 215 hits.

Apparently it was trying to find my cmd.exe so as to take control of my Windows box. A few samples appeared in the Error 404 statistics:

  • /msadc/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe
  • /exchange/check.bat/..%5c..%5c..%5cwinnt/system32/cmd.exe
  • /_mem_bin/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe
  • /_vti_bin/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe
  • /exchange/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe
  • /cgi/check.bat/..%5c..%5c..%5cwinnt/system32/cmd.exe
  • /PBServer/check.bat/..%5c..%5c..%5cwinnt/system32/cmd.exe
  • /cgi/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe
  • /scripts/..%5c..%5cwinnt/system32/cmd.exe


Note that troll and spam comments will be deleted without any notification.

  • At 5/26/2005 07:44:00 am, Blogger Gary W. Longsine said…

    Attacks like these persist on the internet. I've seen Apache users who use re-write rules to redirect these attacks to /dev/null on UNIX systems, and one person with a sense of humor who redirected them to microsoft.com. That's rude, but really pretty funny, in a slipped-on-a-banana-peel sorta way. I probably shouldn't admit that.

    Intrinsic Security: AntiWorm Defense In Depth


Post a Comment

<< Home