On Tue, Oct 30, 2001 at 08:36PM -0600, Munir Nassar wrote: > For a couple of days now i have been getting wierd errors in my Apache > logs, mostly people doing a GET /dir/cmd.exe, or root.exe I am seeing the same thing, but I suspect it's a Nimda variant. Here's a snippet from my logs: 65.96.212.248 - - [30/Oct/2001:22:20:20 -0600] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 281 "-" "-" 65.96.212.248 - - [30/Oct/2001:22:20:20 -0600] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 279 "-" "-" 65.96.212.248 - - [30/Oct/2001:22:20:21 -0600] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 289 "-" "-" 65.96.212.248 - - [30/Oct/2001:22:20:21 -0600] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 289 "-" "-" 65.96.212.248 - - [30/Oct/2001:22:20:21 -0600] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303 Just one would look like a k1ddi3 trying to be 733t...but this is five hits from the same IP in a couple seconds, plus the more typical Nimda string. *sigh* I wish someone would take a baseball bat to every Winblows box sitting on the 65.0.0.0 class A. My firewall now drops packets to port 80 from that class A, but I am still getting crap in my logs. Dan -- | 4699 BDCB B1A5 28B6 7F8A F8DF EB6A BC2A B0A1 99BF (GPG) | Dan Drake <drake+tclug at lemongecko.org> | http://lemongecko.org/drake/ | public key: email <drake+gpg at lemongecko.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available Url : http://shadowknight.real-time.com/pipermail/tclug-list/attachments/20011109/08bc2e33/attachment.pgp