Actually this is an attempt to use the backdoor which is installed by CodeRed II. It copies the cmd.exe to the scripts directory as root.exe and, if the backdoor is active, allows
someone to execute commands in this manner. 'dir' is just the common one given in examples on the web. This looks like some script kiddie playing and not a real hacker. A
real hacker would know that you are running linux and not infected with CodeRed II.
10/06/01 02:02:30 PM, Rainer Link
On Sat, 6 Oct 2001, Rolf Klemenz wrote:
Does anybody know of the following attak? These are getting more and more, starting by today...
:: Apache Access Log File ::<cut> 212.25.83.251 - - [06/Oct/2001:20:36:05 +0200] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 1438
[cut] I'd say it's Nimda. But it's a worm and not new :-) See http://cert.uni-stuttgart.de/ticker/article.php?mid=480
best regards, Rainer Link
-- Rainer Link | SuSE - The Linux Experts link@suse.de | Developer of A Mail Virus Scanner (amavis.org) www.suse.de | Founder OpenAntiVirus Project (www.openantivirus.org)
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Actually this is an attempt to use the backdoor which is installed by CodeRed II. It copies the cmd.exe to the scripts directory as root.exe and, if the backdoor is active, allows someone to execute commands in this manner. 'dir' is just the common one given in examples on the web. This looks like some script kiddie playing and not a real hacker. A real hacker would know that you are running linux and not infected with CodeRed II.
Its not even a script kiddie. The source host is infected by Nimbda and its doing its normal activity of scanning for new hosts to infect. You don't need to worry as you are not running IIS. John
Am Son, 07 Okt 2001 schrieb John Trickey:
Actually this is an attempt to use the backdoor which is installed by CodeRed II. It copies the cmd.exe to the scripts directory as root.exe and, if the backdoor is active, allows
I think the best in this case if you get such thing as attachment and you are using qmail with maildirmethod is a script like checkattach. I think you can get this in the antispamhowto. The script will kill all vbs- and other dangerous attachment (.exe, .ocx, ...). I think the part of deleting of such messages is missing, but no poblem to insert. I think one method to fight against viruses. Regards, Ruprecht
Am Son, 07 Okt 2001 schrieb John Trickey:
Actually this is an attempt to use the backdoor which is installed by CodeRed II. It copies the cmd.exe to the scripts directory as root.exe and, if the backdoor is active, allows
snip
I think the part of deleting of such messages is missing, but no poblem to insert.
I think you are missing the point here. We were discussing the first phase of the nimda worm which is to infect an unpatched IIS web server. If you want to know more read http://www.incidents.org/react/nimda.pdf but its a bit verbose. BTW, If you do quote me, make sure its my words you quote not someone elses as you did above. I can excuse you as it seems my stupid mailer managed to quote paragraphs instead of lines - oh free me from M$ ;-/ John
participants (3)
-
James Bliss -
John Trickey -
rhelms@mayn.de