You probably shouldn't drop everything from that class A if you're running a commercial site. That class A is no different from any other one. Plus, who cares anyway? You're running linux, you're not vulnerable to nimda anyway. > -----Original Message----- > From: Dan Drake [mailto:drake+tclug at lemongecko.org] > Sent: Tuesday, October 30, 2001 11:48 PM > To: tclug-list at mn-linux.org > Subject: Re: [TCLUG] Apache error logs > > > On Tue, Oct 30, 2001 at 08:36PM -0600, Munir Nassar wrote: > > For a couple of days now i have been getting wierd errors > in my Apache > > logs, mostly people doing a GET /dir/cmd.exe, or root.exe > > I am seeing the same thing, but I suspect it's a Nimda > variant. Here's a snippet from my logs: > > 65.96.212.248 - - [30/Oct/2001:22:20:20 -0600] "GET > /scripts/root.exe?/c+dir HTTP/1.0" 404 281 "-" "-" > 65.96.212.248 - - [30/Oct/2001:22:20:20 -0600] "GET > /MSADC/root.exe?/c+dir HTTP/1.0" 404 279 "-" "-" > 65.96.212.248 - - [30/Oct/2001:22:20:21 -0600] "GET > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 289 "-" "-" > 65.96.212.248 - - [30/Oct/2001:22:20:21 -0600] "GET > /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 289 "-" "-" > 65.96.212.248 - - [30/Oct/2001:22:20:21 -0600] "GET > /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303 > > Just one would look like a k1ddi3 trying to be 733t...but > this is five hits from the same IP in a couple seconds, plus > the more typical Nimda string. > > *sigh* I wish someone would take a baseball bat to every > Winblows box sitting on the 65.0.0.0 class A. My firewall now > drops packets to port 80 from that class A, but I am still > getting crap in my logs. > > Dan > > -- > | 4699 BDCB B1A5 28B6 7F8A F8DF EB6A BC2A B0A1 99BF > (GPG) Dan > | Drake <drake+tclug at lemongecko.org> | http://lemongecko.org/drake/ > | public key: email <drake+gpg at lemongecko.org> >