Re: W32.Nimda Scanner script

From: "Peter J. Persing" <Peter@xxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Date: Thu, 20 Sep 2001 10:22:24 -0600
Boy, that syscancorp.com (12.32.69.18) is also flooding me with the same
thing. I sent him an e-mail. I home he wakes up!!!

Pete
 
On the Blackfoot River in the great state of Montana
 
 


-----Original Message-----
From: Greg Foulks [mailto:greg.foulks@xxxxxxxx] 
Sent: Thursday, September 20, 2001 10:09 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: W32.Nimda Scanner script


http://www.ISAserver.org


Question. I see that an anonymous connection made in my ISA server
(Monitor
Section)

Looking in the log I see many of these log entries

12.32.69.18     anonymous       -       2001-09-20      16:03:14
GATEKEEPER      -       www     10.0.0.32       80      -
96      225     http    GET
http://10.0.0.32/scripts/..%255c../winnt/system32/cmd.exe?/c+dir
Inet    500
12.32.69.18     anonymous       -       2001-09-20      16:03:17
GATEKEEPER      -       www     10.0.0.32       80      16
97      3396    http    GET
http://10.0.0.32/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir
Inet    404


Can I assume by this that ISA is doing it's job?

Further how can I setup my ISA server to Block my internal users from
being infected while they browse the net?

Thanks,

Greg Foulks, MCP
NewFound Technologies, Inc.
http://www.nfti.com
Email: greg.foulks@xxxxxxxx
Voice: 614.318.5036
Fax: 614.318.5005


-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Thursday, September 20, 2001 11:47 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: W32.Nimda Scanner script


http://www.ISAserver.org


It's a .vbs script.  Rename it to W32.Nimda_scanner.vbs and run it in a
command window with "cscript w32.nimda_scanner"

Jim Harrison
MCP(2K), A+, Network+, PCG


----- Original Message -----
From: "Armando Treviño López" <armando.trevino@xxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Thursday, September 20, 2001 08:35
Subject: [isalist] Re: W32.Nimda Scanner script


http://www.ISAserver.org



Is that file made in Visual Basic?
To what extension do I have to rename it to make it work? Thanks.


-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Wednesday, September 19, 2001 11:49 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: W32.Nimda Scanner script


http://www.ISAserver.org



This is a multi-part message in MIME format.

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')



------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
greg.foulks@xxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')


------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
peter@xxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
Re: W32.Nimda Scanner script

Other related posts:
