TeamPhotoshop
Reviews, updates and in depth guides to your favourite mobile games - AppGamer.com
Forum Home Latest Posts Search Help Subscribe

Nimda or some other virus..

Page: 1 Reply
Dec 15th 2001#23455 Report
Member since: May 24th 2001
Posts: 358
My home server keeps getting spammed by servers that have caught a virus and are looking for others to pass it on (or something)

I get them in bursts every.. hour or so and they typically look like this.

64.180.148.114 localhost - [14/Dec/2001:23:40:46 -0800] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 868 "" ""
Error reading "C:\HTTPD\HTDOCS\scripts\..S5c..\winnt\system32\cmd.exe" - The system cannot find the path specified.
64.180.148.114 localhost - [14/Dec/2001:23:40:45 -


Except about 50 times more attempts.

Any idea what the hell is going on or how I can stop it?

I'm running omnihttp by omnicrom.ca on a win98 box with php4 installed on an adsl line.
The firewall I use is zonealarm.
Reply with Quote Reply
Dec 15th 2001#23457 Report
Member since: Mar 20th 2001
Posts: 3367
get an anti virus software?
format your harddisk?
don't open anymore emails?
don't switch on you pc?
don't touch urself so no virus will attack u?
Reply with Quote Reply
Dec 15th 2001#23459 Report
Member since: May 24th 2001
Posts: 358
Eh?

The problem isn't with my computer, it's with others scanning me constantly.
Reply with Quote Reply
Dec 16th 2001#23554 Report
Member since: Mar 24th 2001
Posts: 3734
#1) Yes, that is Nimda.


Well you are running a web server then?
Are you running PWS? If so, check for updates.

If you are just running something allows you to run PHP stuff on there, look for security updates through the provider of the software.

Also, make sure that your default web directory is NOT located on your C: drive. If you put it on an extended partition or a different volume, then you don't have to worry about anything.

Also, if your software allows you to, install a free 3rd party software program such as URLScan to ensure that nobody can send such requests to your web server.

Do a little research on what Nimda can do to the configuration that you have running, and you'll come up with 1,000 answers.
Reply with Quote Reply
Dec 16th 2001#23568 Report
Member since: Mar 18th 2001
Posts: 1690
[QUOTE]64.180.148.114 localhost - [14/Dec/2001:23:40:46 -0800] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 868 "" "" [/QUOTE]

if that is the error message you are getting on YOUR server's error log, then YOU yourself have been infected by this virus. Patch your webserver. Patch your servers operating system. get virus updates.

remove your computer from the network, scan for virii. keep scanning until none are found and all are fixed.
Reply with Quote Reply
Dec 16th 2001#23577 Report
Member since: Mar 24th 2001
Posts: 3734
That exact line there does not say whether his is infected or not. That line there is the request that an infected machine is sending to his machine.
Reply with Quote Reply
Page: 1 Back to top
Please login or register above to post in this forum