> I've noticed some activity on a couple of web servers which I'm trying to > find an explanation for. It's been happening for about 2 months. Here's a > log snippet : > > [08-21-2002 - 00:56:11] Client at x.x.x.x: URL normalization was not > complete after one pass. Request will be rejected. Site Instance='1', Raw > URL='/scripts/..%255c%255c../winnt/system32/cmd.exe' I've got these requests going back to May, beyond that I'd have to uncompress logs but who cares. If I grep for "255" and/or ".." and "cmd.exe"... well.. yeah. lots and lots of entries. It's code red/blue/green/god knows what and Nimda and lord knows what else. Make sure your servers are patched before they go online and if you're like me find someone nice to have dinner with and forget about it. There are much better things to do in life then worrying about the latest (or not so latest) windows worm. Kurt Seifried, kurtat_private A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Aug 22 2002 - 08:59:36 PDT