Code Red/Nimda
- From: "Sushil Bhalla" <sushilb@xxxxxxxxxxxxxxxxx>
- To: isalist@xxxxxxxxxxxxx
- Date: Wed, 10 Apr 2002 04:09:51 -0600
Hello All,
I have SBS2000 (W2K with SP2, E2K with SP1, ISA2K, IIS) all installed on
one server.
I am getting a lot of following entries in my IIS logs from different IPs:
2002-04-09 21:20:36 203.253.28.53 - W3SVC3 SERVER xxx.xxx.xxx.xxx 80 GET
/scripts/root.exe /c+dir 404 3 3396 72 62 HTTP/1.0 www - - -
2002-04-09 21:20:42 203.253.28.53 - W3SVC3 SERVER xxx.xxx.xxx.xxx 80 GET
/MSADC/root.exe /c+dir 404 3 3396 70 0 HTTP/1.0 www - - -
2002-04-09 21:20:43 203.253.28.53 - W3SVC3 SERVER xxx.xxx.xxx.xxx 80 GET
/c/winnt/system32/cmd.exe /c+dir 404 3 3396 80 15 HTTP/1.0 www - - -
2002-04-09 21:20:45 203.253.28.53 - W3SVC3 SERVER xxx.xxx.xxx.xxx 80 GET
/d/winnt/system32/cmd.exe /c+dir 404 3 3396 80 0 HTTP/1.0 www - - -
2002-04-09 21:20:47 203.253.28.53 - W3SVC3 SERVER xxx.xxx.xxx.xxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 3 3396 96 0 HTTP/1.0
www - - -
2002-04-09 21:20:49 203.253.28.53 - W3SVC3 SERVER xxx.xxx.xxx.xxx 80 GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 3 3396
117 0 HTTP/1.0 www - - -
2002-04-09 21:20:50 203.253.28.53 - W3SVC3 SERVER xxx.xxx.xxx.xxx 80 GET
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 3 3396
117 0 HTTP/1.0 www - - -
I know 404 IS GOOD SIGN for me. But what can I do to prevent even logging
of these entries. What Service Packs or patches are needed and where can I
get these.
Thanks in advance for all your help.
Sushil Bhalla
Imageware International
Other related posts:
