|
-
Apr 17th, 2002, 08:26 AM
#1
Thread Starter
Hyperactive Member
Stop trying to infect me. Is this possible?
Hi,
Every morning my server logs are filled with dozens of the following:
2002-04-17 00:08:52 217.83.72.182 - 10.72.64.27 80 GET /scripts/..%5c%5c../winnt/system32/cmd.exe /c+dir 401 -
2002-04-17 00:45:23 12.99.208.230 - 10.72.64.27 80 GET /scripts/root.exe /c+dir 401 -
2002-04-17 00:45:27 12.99.208.230 - 10.72.64.27 80 GET /MSADC/root.exe /c+dir 403 -
2002-04-17 00:45:27 12.99.208.230 - 10.72.64.27 80 GET /c/winnt/system32/cmd.exe /c+dir 401 -
2002-04-17 01:50:10 12.239.52.5 - 10.72.64.27 80 GET /scripts/root.exe /c+dir 401 -
2002-04-17 01:50:14 12.239.52.5 - 10.72.64.27 80 GET /MSADC/root.exe /c+dir 403 -
2002-04-17 01:50:14 12.239.52.5 - 10.72.64.27 80 GET /c/winnt/system32/cmd.exe /c+dir 401 -
2002-04-17 01:50:16 12.239.52.5 - 10.72.64.27 80 GET /d/winnt/system32/cmd.exe /c+dir 401 -
2002-04-17 01:50:16 12.239.52.5 - 10.72.64.27 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 -
2002-04-17 01:50:17 12.239.52.5 - 10.72.64.27 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 401 -
I recognize this as attempts to gain control of my system for some nefarious purpose. I believe the viruses Code-Red and Nimda use this method to infect systems.
One of the things it looks for is a root.exe in the /scripts or /MSADC folders, neither of which exists on my system.
Question:
I was wondering if it would be possible to create a program named root.exe that would:
1. Send a message to the offending IP telling them to dis-infect their system.
or
2. Stopping their web server.
or
3. Blowing up their system.
Any thoughts or comments?
Thanks,
Al.
A computer is a tool, not a toy.
-
Apr 17th, 2002, 09:01 AM
#2
Just some thoughts, no help....
Question:
I was wondering if it would be possible to create a program named root.exe that would:
1. Send a message to the offending IP telling them to dis-infect their system.
or
2. Stopping their web server.
or
3. Blowing up their system.
So you'd be replacing your root.exe? Nimda just wishes to affect these files, create admin shares, and propagate itself.
I think.....
1. no.
2. see above.
3. see above.
You could simply send them an email? how come you haven't done that?
These are just thoughts/comments...
-
Apr 17th, 2002, 09:48 AM
#3
Thread Starter
Hyperactive Member
Thanks for the reply.
I have emailed some of the sites when I can identify them but this is time consuming. I was hoping for some way to automate it.
I have written a program that extracts the IP addresses from the log files but I can't email directly to these.
Since my system doesn't have a root.exe in the scripts or MSADC folder, I wouldn't be replacing it. I'd be creating a false root.exe.
Al.
A computer is a tool, not a toy.
-
Apr 17th, 2002, 11:12 AM
#4
Black Cat
It looks like scans by computers already infected by Nimda or Code Red - chances are the admins of these servers are pretty clueless. Anyway, if your server has been secured, its really just an annoyance in your log files.
Also, I think attempting to send any thing would just make your server less secure.
Josh
Get these: Mozilla Opera OpenBSD
I have books for sale: "MCSD in a Nutshell" and "VB Distributed Exam Cram" - PM me for details. Will also trade for a decent ATX Pentium 2 MB/CPU/RAM combo.
-
Apr 17th, 2002, 11:56 AM
#5
I had this problem awhile back... Apply all of microsoft security patches.. then buy norton antivirus. I dont have any problems any more.
-
Apr 17th, 2002, 12:09 PM
#6
Frenzied Member
joan is correct. We had that same attack on our web servers. Once we install the lastest patches it went away. It is just a simple buffer overflow attack.
-
Apr 17th, 2002, 01:19 PM
#7
Black Cat
You will still see the failed attacks in your server logs, regardless if you use IIS, Apache, etc. As long as you're logging failed attacks, you're fine. Applying patches will prevent the attacks from working, but it will not stop the attackers from trying.
Josh
Get these: Mozilla Opera OpenBSD
I have books for sale: "MCSD in a Nutshell" and "VB Distributed Exam Cram" - PM me for details. Will also trade for a decent ATX Pentium 2 MB/CPU/RAM combo.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|