httpd error log - ? viral ?
Hi, This laptop usually gets mail via network from behind a firewall. Earlier this evening I plugged it into a phone line and used balsa to bring down mail (quicker than fetchmail on dial up). I have just found the following in httpd error_log ( see below ). Is this a w32 virus trying to do something that I am seeing? Cheers Francesco Tue Sep 18 18:36:17 2001] [error] [client 194.74.208.164] File does not exist: /usr/local/httpd/htdocs/scripts/root.exe [Tue Sep 18 18:36:50 2001] [error] [client 195.224.200.138] File does not exist: /usr/local/httpd/htdocs/scripts/root.exe [Tue Sep 18 18:36:51 2001] [error] [client 195.224.200.138] File does not exist: /usr/local/httpd/htdocs/MSADC/root.exe [Tue Sep 18 18:36:51 2001] [error] [client 194.74.208.164] File does not exist: /usr/local/httpd/htdocs/MSADC/root.exe [Tue Sep 18 18:36:51 2001] [error] [client 195.224.200.138] File does not exist: /usr/local/httpd/htdocs/c/winnt/system32/cmd.exe [Tue Sep 18 18:36:52 2001] [error] [client 195.224.200.138] File does not exist: /usr/local/httpd/htdocs/d/winnt/system32/cmd.exe [Tue Sep 18 18:36:53 2001] [error] [client 195.224.200.138] File does not exist: /usr/local/httpd/htdocs/scripts/..%5c../winnt/system32/cmd.exe [Tue Sep 18 18:36:54 2001] [error] [client 195.224.200.138] File does not exist: /usr/local/httpd/htdocs/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe [Tue Sep 18 18:36:54 2001] [error] [client 195.224.200.138] File does not exist: /usr/local/httpd/htdocs/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe [Tue Sep 18 18:36:55 2001] [error] [client 195.224.200.138] File does not exist: /usr/local/httpd/htdocs/msadc/..%5c../..%5c../..%5c/..../..../..../winnt/system32/cmd.exe [Tue Sep 18 18:36:56 2001] [error] [client 195.224.200.138] File does not exist: /usr/local/httpd/htdocs/scripts/..../winnt/system32/cmd.exe [Tue Sep 18 18:36:57 2001] [error] [client 195.224.200.138] File does not exist: /usr/local/httpd/htdocs/scripts/..../winnt/system32/cmd.exe [Tue Sep 18 18:36:58 2001] [error] [client 195.224.200.138] File does not exist: /usr/local/httpd/htdocs/scripts/..../winnt/system32/cmd.exe [Tue Sep 18 18:37:00 2001] [error] [client 195.224.200.138] File does not exist: /usr/local/httpd/htdocs/scripts/..%5c../winnt/system32/cmd.exe [Tue Sep 18 18:37:01 2001] [error] [client 195.224.200.138] File does not exist: /usr/local/httpd/htdocs/scripts/..%2f../winnt/system32/cmd.exe exe
Yes. It started this morning, Tuesday, at 8:30am CDT (-0500). A new
virus that has several vectors. More virulent than Code Red, exploits
the same hole in IIS, and also propagates via e-mail. See
http://www.europe.f-secure.com/v-descs/nimda.shtml
or:
http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html
HTH,
Jeffrey
Quoting Francesco Scaglioni
Hi,
This laptop usually gets mail via network from behind a firewall. Earlier this evening I plugged it into a phone line and used balsa to bring down mail (quicker than fetchmail on dial up). I have just found the following in httpd error_log ( see below ). Is this a w32 virus trying to do something that I am seeing?
Cheers
Francesco
Tue Sep 18 18:36:17 2001] [error] [client 194.74.208.164] File does not exist: /usr/local/httpd/htdocs/scripts/root.exe [Tue Sep 18 18:36:50 2001] [error] [client 195.224.200.138] File does not exist: /usr/local/httpd/htdocs/scripts/root.exe [Tue Sep 18 18:36:51 2001] [error] [client 195.224.200.138] File does not exist: /usr/local/httpd/htdocs/MSADC/root.exe [Tue Sep 18 18:36:51 2001] [error] [client 194.74.208.164] File does not exist: /usr/local/httpd/htdocs/MSADC/root.exe [Tue Sep 18 18:36:51 2001] [error] [client 195.224.200.138] File does not exist: /usr/local/httpd/htdocs/c/winnt/system32/cmd.exe [Tue Sep 18 18:36:52 2001] [error] [client 195.224.200.138] File does not exist: /usr/local/httpd/htdocs/d/winnt/system32/cmd.exe [Tue Sep 18 18:36:53 2001] [error] [client 195.224.200.138] File does not exist: /usr/local/httpd/htdocs/scripts/..%5c../winnt/system32/cmd.exe [Tue Sep 18 18:36:54 2001] [error] [client 195.224.200.138] File does not exist: /usr/local/httpd/htdocs/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe [Tue Sep 18 18:36:54 2001] [error] [client 195.224.200.138] File does not exist: /usr/local/httpd/htdocs/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe [Tue Sep 18 18:36:55 2001] [error] [client 195.224.200.138] File does not exist: /usr/local/httpd/htdocs/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe [Tue Sep 18 18:36:56 2001] [error] [client 195.224.200.138] File does not exist: /usr/local/httpd/htdocs/scripts/..Á../winnt/system32/cmd.exe [Tue Sep 18 18:36:57 2001] [error] [client 195.224.200.138] File does not exist: /usr/local/httpd/htdocs/scripts/..À¯../winnt/system32/cmd.exe [Tue Sep 18 18:36:58 2001] [error] [client 195.224.200.138] File does not exist: /usr/local/httpd/htdocs/scripts/..Á../winnt/system32/cmd.exe [Tue Sep 18 18:37:00 2001] [error] [client 195.224.200.138] File does not exist: /usr/local/httpd/htdocs/scripts/..%5c../winnt/system32/cmd.exe [Tue Sep 18 18:37:01 2001] [error] [client 195.224.200.138] File does not exist: /usr/local/httpd/htdocs/scripts/..%2f../winnt/system32/cmd.exe exe
-- I don't do Windows and I don't come to work before nine. -- Johnny Paycheck
Francesco Scaglioni wrote:
Hi,
This laptop usually gets mail via network from behind a firewall. Earlier this evening I plugged it into a phone line and used balsa to bring down mail (quicker than fetchmail on dial up). I have just found the following in httpd error_log ( see below ). Is this a w32 virus trying to do something that I am seeing?
Cheers
Francesco
Tue Sep 18 18:36:17 2001] [error] [client 194.74.208.164] File does not exist: /usr/local/httpd/htdocs/scripts/root.exe [Tue Sep 18 18:36:50 2001] [error] [client 195.224.200.138] File does not exist: /usr/local/httpd/htdocs/scripts/root.exe [Tue Sep 18 18:36:51 2001] [error] [client 195.224.200.138] File does not exist: /usr/local/httpd/htdocs/MSADC/root.exe [Tue Sep 18 18:36:51 2001] [error] [client 194.74.208.164] File does not exist: /usr/local/httpd/htdocs/MSADC/root.exe [Tue Sep 18 18:36:51 2001] [error] [client 195.224.200.138] File does not exist: /usr/local/httpd/htdocs/c/winnt/system32/cmd.exe
It's called the Nimda worm. http://www.sarc.com/avcenter/venc/data/w32.nimda.a@mm.html -- Joe & Sesil Morris New Tribes Mission Email Address: Joe_Morris@ntm.org Web Address: www.mydestiny.net/~joe_morris "All I have seen teaches me to trust the Creator for all I have not seen." --Ralph Waldo Emerson
participants (3)
-
Francesco Scaglioni
-
Jeffrey Taylor
-
Joe & Sesil Morris