R: [imp] Apache errors regarding IMP
Giovanni Riganti
griganti@eco.uninsubria.it
Mon Oct 21 14:19:35 2002
Hi,
it is the usual procedure of nimda that tries to infect your machine
Don't worry, nimda infect only IIS
Look http://www.cert.org/advisories/CA-2001-26.html.
Or
Bye,
Gio
:> -----Messaggio originale-----
:> Da: imp-bounces@lists.horde.org [mailto:imp-bounces@lists.horde.org]Per
:> conto di Frederick Ho
:> Inviato: lunedì 21 ottobre 2002 15:02
:> A: imp@lists.horde.org
:> Oggetto: [imp] Apache errors regarding IMP
:>
:>
:> Hi,
:> I am currently running Horde 2.1, IMP 3.1 in RedHat 7.2 with Apache
1.3.23
:> and logged some weird messages in the Apache logs.
:>
:> Has anyone see the following errors in the Linux
:> httpd/access_log, httpd/error_log regarding the Horde/IMP errors?
:>
:> > httpd/access_log
:> 202.64.220.x - - [20/Oct/2002:21:16:28 +0800] "GET
:> /horde/imp/view.php?thismailbox=INBOX&index=1941&id=2&actionID=11
:> 3&mime=9d1caf7ffd290b8e7ebeecded7496350 HTTP/1.1" 200 5894947
:> 202.64.220.x - - [20/Oct/2002:21:17:09 +0800] "GET
:> /scripts/root.exe?/c+dir HTTP/1.1" 404 295
:> 202.64.220.x - - [20/Oct/2002:21:17:09 +0800] "GET
:> /MSADC/root.exe?/c+dir HTTP/1.1" 404 293
:> 202.64.220.x - - [20/Oct/2002:21:17:10 +0800] "GET
:> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.1" 404 303
:> 202.64.220.x - - [20/Oct/2002:21:17:10 +0800] "GET
:> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.1" 404 303
:> 202.64.220.x - - [20/Oct/2002:21:17:13 +0800] "GET
:> /scripts/..%5C../winnt/system32/cmd.exe?/c+dir HTTP/1.1" 404 315
:> 202.64.220.x - - [20/Oct/2002:21:17:13 +0800] "GET
:> /_vti_bin/..%5C../..%5C../..%5C../winnt/system32/cmd.exe?/c+dir
:> HTTP/1.1" 404 328
:> 202.64.220.x - - [20/Oct/2002:21:17:14 +0800] "GET
:> /_mem_bin/..%5C../..%5C../..%5C../winnt/system32/cmd.exe?/c+dir
:> HTTP/1.1" 404 328
:>
:> > httpd/error_log
:> [Sun Oct 20 04:18:46 2002] [error] [client 202.64.220.x] File
:> does not exist: /var/www/html/horde/imp/scripts/root.exe
:> [Sun Oct 20 04:18:46 2002] [error] [client 202.64.220.x] File
:> does not exist: /var/www/html/horde/imp/MSADC/root.exe
:> [Sun Oct 20 04:18:47 2002] [error] [client 202.64.220.x] File
:> does not exist: /var/www/html/horde/imp/c/winnt/system32/cmd.exe
:> [Sun Oct 20 04:18:47 2002] [error] [client 202.64.220.x] File
:> does not exist: /var/www/html/horde/imp/d/winnt/system32/cmd.exe
:> [Sun Oct 20 04:18:47 2002] [error] [client 202.64.220.x] File
:> does not exist:
:> /var/www/html/horde/imp/scripts/..\../winnt/system32/cmd.exe
:> [Sun Oct 20 04:18:50 2002] [error] [client 202.64.220.x] File
:> does not exist:
:> /var/www/html/horde/imp/_vti_bin/..\../..\../..\../winnt/system32/cmd.exe
:> [Sun Oct 20 04:18:52 2002] [error] [client 202.64.220.x] File
:> does not exist:
:> /var/www/html/horde/imp/_mem_bin/..\../..\../..\../winnt/system32/cmd.exe
:> [Sun Oct 20 04:18:52 2002] [error] [client 202.64.220.x] File
:> does not exist:
:> /var/www/html/horde/imp/msadc/..\../..\../..\/..Á^\../..Á^\../..Á
:> ^\../winnt/system32/cmd.exe
:> [Sun Oct 20 04:18:52 2002] [error] [client 202.64.220.x] File
:> does not exist:
:> /var/www/html/horde/imp/scripts/..Á^\../winnt/system32/cmd.exe
:>
:> Why am I getting these errors? I used both Netscape 7 and IE 6
:> browser on Win2K to access the IMP mail server running on Linux.
:> I also used Apache 2.0.4 on Redhat 8 on my development system
:> and it showed the same weird messages on the logs.
:>
:> Anyone care to comment? Why the IMP tried to access winnt stuff?
:> Am I under attacks? My virus scan showed nothing.
:>
:> Regards,
:> Fred
:>
:>
:>
:>
:> --
:> IMP mailing list
:> Frequently Asked Questions: http://horde.org/faq/
:> To unsubscribe, mail: imp-unsubscribe@lists.horde.org