You probably shouldn't drop everything from that class A if you're running a
commercial site.  That class A is no different from any other one.  

Plus, who cares anyway?  You're running linux, you're not vulnerable to
nimda anyway.  

> -----Original Message-----
> From: Dan Drake [mailto:drake+tclug at lemongecko.org] 
> Sent: Tuesday, October 30, 2001 11:48 PM
> To: tclug-list at mn-linux.org
> Subject: Re: [TCLUG] Apache error logs
> 
> 
> On Tue, Oct 30, 2001 at 08:36PM -0600, Munir Nassar wrote:
> > For a couple of days now i have been getting wierd errors 
> in my Apache 
> > logs, mostly people doing a GET /dir/cmd.exe, or root.exe
> 
> I am seeing the same thing, but I suspect it's a Nimda 
> variant. Here's a snippet from my logs:
> 
> 65.96.212.248 - - [30/Oct/2001:22:20:20 -0600] "GET 
> /scripts/root.exe?/c+dir HTTP/1.0" 404 281 "-" "-" 
> 65.96.212.248 - - [30/Oct/2001:22:20:20 -0600] "GET 
> /MSADC/root.exe?/c+dir HTTP/1.0" 404 279 "-" "-" 
> 65.96.212.248 - - [30/Oct/2001:22:20:21 -0600] "GET 
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 289 "-" "-" 
> 65.96.212.248 - - [30/Oct/2001:22:20:21 -0600] "GET 
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 289 "-" "-" 
> 65.96.212.248 - - [30/Oct/2001:22:20:21 -0600] "GET 
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303
> 
> Just one would look like a k1ddi3 trying to be 733t...but 
> this is five hits from the same IP in a couple seconds, plus 
> the more typical Nimda string.
> 
> *sigh* I wish someone would take a baseball bat to every 
> Winblows box sitting on the 65.0.0.0 class A. My firewall now 
> drops packets to port 80 from that class A, but I am still 
> getting crap in my logs.
> 
> Dan
> 
> -- 
> | 4699  BDCB  B1A5  28B6  7F8A  F8DF  EB6A  BC2A  B0A1  99BF 
> (GPG) Dan 
> | Drake <drake+tclug at lemongecko.org> | http://lemongecko.org/drake/ 
> | public key: email <drake+gpg at lemongecko.org>
>