[Suns-at-Home] Odd httpd error entries - probe attempts?
der Mouse
mouse@Rodents.Montreal.QC.CA
Sat, 6 Oct 2001 14:26:14 -0400 (EDT)
> I have been seeing a strange trend in my log files that track my web
> site traffic [...]
> d/winnt/system32/cmd.exe
> scripts/..%5c../winnt/system32/cmd.exe
> _vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
> _mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
This is a Windows infectious agent (worm or virus, depending on your
point of view). It's called Nimda, I believe, and is very virulent;
I've seen it said - with what truth I know not - that it spreads both
through IIS bugs, such as you're seeing evidence of, and via automatic
mailing itself to your whole address book if you're foolish enough to
use bugware from Microsoft to deal with your email.
The collateral damage in the form of incessant pounding on port 80 of
non-vulnerable machines can be unfortunate.
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML mouse@rodents.montreal.qc.ca
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B