Stop trying to infect me. Is this possible?
Hi,
Every morning my server logs are filled with dozens of the following:
Quote:
2002-04-17 00:08:52 217.83.72.182 - 10.72.64.27 80 GET /scripts/..%5c%5c../winnt/system32/cmd.exe /c+dir 401 -
2002-04-17 00:45:23 12.99.208.230 - 10.72.64.27 80 GET /scripts/root.exe /c+dir 401 -
2002-04-17 00:45:27 12.99.208.230 - 10.72.64.27 80 GET /MSADC/root.exe /c+dir 403 -
2002-04-17 00:45:27 12.99.208.230 - 10.72.64.27 80 GET /c/winnt/system32/cmd.exe /c+dir 401 -
2002-04-17 01:50:10 12.239.52.5 - 10.72.64.27 80 GET /scripts/root.exe /c+dir 401 -
2002-04-17 01:50:14 12.239.52.5 - 10.72.64.27 80 GET /MSADC/root.exe /c+dir 403 -
2002-04-17 01:50:14 12.239.52.5 - 10.72.64.27 80 GET /c/winnt/system32/cmd.exe /c+dir 401 -
2002-04-17 01:50:16 12.239.52.5 - 10.72.64.27 80 GET /d/winnt/system32/cmd.exe /c+dir 401 -
2002-04-17 01:50:16 12.239.52.5 - 10.72.64.27 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 -
2002-04-17 01:50:17 12.239.52.5 - 10.72.64.27 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 401 -
I recognize this as attempts to gain control of my system for some nefarious purpose. I believe the viruses Code-Red and Nimda use this method to infect systems.
One of the things it looks for is a root.exe in the /scripts or /MSADC folders, neither of which exists on my system.
Question:
I was wondering if it would be possible to create a program named root.exe that would:
1. Send a message to the offending IP telling them to dis-infect their system.
or
2. Stopping their web server.
or
3. Blowing up their system.
Any thoughts or comments?
Thanks,
Al.
Just some thoughts, no help....
Quote:
Question:
I was wondering if it would be possible to create a program named root.exe that would:
1. Send a message to the offending IP telling them to dis-infect their system.
or
2. Stopping their web server.
or
3. Blowing up their system.
So you'd be replacing your root.exe? Nimda just wishes to affect these files, create admin shares, and propagate itself.
I think.....
1. no.
2. see above.
3. see above.
You could simply send them an email? how come you haven't done that?
These are just thoughts/comments...