[CLUE-Tech] nimda and friends
Dave Price
davep at kinaole.org
Mon Sep 9 18:40:42 MDT 2002
Well the icmp syslog errors are gone - now if I could just get a script
to a DROP to my iptables for systems that try to do this sillyness -
[Sat Aug 31 10:08:08 2002] [error] [client 63.225.171.157] File does not
exist: /var/www/d/winnt/system32/cmd.exe
==> /var/log/apache/access.log <==
63.225.171.157 - - [31/Aug/2002:10:08:08 -0600] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
==> /var/log/apache/error.log <==
[Sat Aug 31 10:08:08 2002] [error] [client 63.225.171.157] File does not
exist: /var/www/scripts/..%5c../winnt/system32/cmd.exe
==> /var/log/apache/access.log <==
63.225.171.157 - - [31/Aug/2002:10:08:09 -0600] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 249
like I would really run IIS, I have seen references to scripts that
actually make the nimbda targets into legitimate cgi scripts.
Has anyone ever tried to install something like that?
scanning the logs - tired of getting probed.
BTW if you did not know you could do this, tail can monitor several files
at once:
davep at fw:/etc/network$ cat `which tlog`
su -c "tail -f /var/log/apache/access.log /var/log/apache/error.log
/var/log/exim/mainlog /var/log/syslog"
The output is easy to scan.
aloha,
dave
More information about the clue-tech
mailing list