RE: [squid-users] WinNT Server Access Problem from Robert Collins on 2001-09-18 (squid-users)

From: Robert Collins <robert.collins@dont-contact.us>
Date: Wed, 19 Sep 2001 12:59:38 +1000

You've been hit by W32/NIMDA. It's a worm.

Rob

> -----Original Message-----
> From: Arvin V. Carlos [mailto:spaceman@server.pccomshop.com]
> Sent: Wednesday, September 19, 2001 12:33 PM
> To: Squid Users Mailing List
> Cc: orly@mozcom.com
> Subject: [squid-users] WinNT Server Access Problem
>
>
>
> We have two NT 4.0 running IIS, suddenly our squid went down
> because of
> disk space problme, we check our log files and it eats pur disk space
> beacuse of our NT Machines try to resolv this all the time:
>
> 255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winn
> t/system32/cmd.exe
> ? - DIRECT/www -
> 1000866350.455 1 208.142.136.115 TCP_MISS/503 1202 GET
> http://www/scripts/.
> .%c1%1c../winnt/system32/cmd.exe? - DIRECT/www -
> 1000866350.487 1 208.142.136.115 TCP_MISS/503 1168 GET
> http://www/c/winnt/s
> ystem32/cmd.exe? - DIRECT/www -
> 1000866350.496 1 208.142.136.115 TCP_MISS/503 1168 GET
> http://www/d/winnt/s
> ystem32/cmd.exe? - DIRECT/www -
> 1000866350.505 2 208.142.136.115 TCP_MISS/503 1200 GET
> http://www/scripts/.
> .%255c../winnt/system32/cmd.exe? - DIRECT/www -
> 1000866350.514 2 208.142.136.115 TCP_MISS/503 1242 GET
> http://www/_vti_bin/
> ..%255c../..%255c../..%255c../winnt/system32/cmd.exe? - DIRECT/www -
> 1000866350.530 1 208.142.136.115 TCP_MISS/503 1242 GET
> http://www/_mem_bin/
> ..%255c../..%255c../..%255c../winnt/system32/cmd.exe? - DIRECT/www -
> 1000866350.539 2 208.142.136.115 TCP_MISS/503 1299 GET
> http://www/msadc/..%
> 255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winn
> t/system32/cmd.exe
> ? - DIRECT/www -
> 1000866350.548 2 208.142.136.115 TCP_MISS/503 1202 GET
> http://www/scripts/.
> .%c1%1c../winnt/system32/cmd.exe? - DIRECT/www -
> 1000866350.557 1 208.142.136.115 TCP_MISS/503 1202 GET
> http://www/scripts/.
> .%c0%2f../winnt/system32/cmd.exe? - DIRECT/www -
>
>
> anyone can explain this? this is a virus? pls HELP!!!
>
> --
> ==============================================================
> =================
> Arvin V. Carlos Office Phone:
> Linux System Administrator (047)237-6001/237-6002
> Pccomshop Inc.
http://www.pccomshop.com

-- Some people are afraid of nothing! --
========================================================================
=======
Received on Tue Sep 18 2001 - 20:50:47 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:02:16 MST