[imp] Apache errors regarding IMP

Frederick Ho fkho@netvigator.com
Mon Oct 21 15:14:19 2002


Hmm, my virus scan on my Win2k workstation showed nothing. I properly need another virus scanner. 
But is it that it is my infected computer sending the Apache with bad HTML instructions to IMP?

Regard,
Fred

----- Original Message ----- 
From: "Juan Enrique Gómez" <juanen@metropoli2000.com>
To: "Frederick Ho" <fkho@netvigator.com>
Cc: "IMP mail-list" <imp@lists.horde.org>
Sent: Monday, October 21, 2002 9:12 PM
Subject: Re: [imp] Apache errors regarding IMP


| El lun, 21-10-2002 a las 15:02, Frederick Ho escribió:
| 
| Hi!
| 
| This is typically produced from virus infected systems, i think is
| called Nimbda, check if that ip is your, if so then your computer has
| this worm. Any way this worm only affects to non-patched iis servers, =
if
| you use apache you should not worry except for the infected computers.
| 
| Best,
| 
| > Hi,
| >   I am currently running Horde 2.1, IMP 3.1 in RedHat 7.2 with =
Apache 1.3.23 and logged some weird messages in the Apache logs.
| > 
| >   Has anyone see the following errors in the Linux httpd/access_log, =
httpd/error_log regarding the Horde/IMP errors?
| > 
| > > httpd/access_log
| > 202.64.220.x - - [20/Oct/2002:21:16:28 +0800] "GET =
/horde/imp/view.php?thismailbox=INBOX&index=1941&id=2&actionID=113&mime=9d1caf7ffd290b8e7ebeecded7496350 HTTP/1.1" 200 5894947
| > 202.64.220.x - - [20/Oct/2002:21:17:09 +0800] "GET =
/scripts/root.exe?/c+dir HTTP/1.1" 404 295
| > 202.64.220.x - - [20/Oct/2002:21:17:09 +0800] "GET =
/MSADC/root.exe?/c+dir HTTP/1.1" 404 293
| > 202.64.220.x - - [20/Oct/2002:21:17:10 +0800] "GET =
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.1" 404 303
| > 202.64.220.x - - [20/Oct/2002:21:17:10 +0800] "GET =
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.1" 404 303
| > 202.64.220.x - - [20/Oct/2002:21:17:13 +0800] "GET =
/scripts/..%5C../winnt/system32/cmd.exe?/c+dir HTTP/1.1" 404 315
| > 202.64.220.x - - [20/Oct/2002:21:17:13 +0800] "GET =
/_vti_bin/..%5C../..%5C../..%5C../winnt/system32/cmd.exe?/c+dir HTTP/1.1" 404 328
| > 202.64.220.x - - [20/Oct/2002:21:17:14 +0800] "GET =
/_mem_bin/..%5C../..%5C../..%5C../winnt/system32/cmd.exe?/c+dir HTTP/1.1" 404 328
| > 
| > > httpd/error_log
| > [Sun Oct 20 04:18:46 2002] [error] [client 202.64.220.x] File does =
not exist: /var/www/html/horde/imp/scripts/root.exe
| > [Sun Oct 20 04:18:46 2002] [error] [client 202.64.220.x] File does =
not exist: /var/www/html/horde/imp/MSADC/root.exe
| > [Sun Oct 20 04:18:47 2002] [error] [client 202.64.220.x] File does =
not exist: /var/www/html/horde/imp/c/winnt/system32/cmd.exe
| > [Sun Oct 20 04:18:47 2002] [error] [client 202.64.220.x] File does =
not exist: /var/www/html/horde/imp/d/winnt/system32/cmd.exe
| > [Sun Oct 20 04:18:47 2002] [error] [client 202.64.220.x] File does =
not exist: /var/www/html/horde/imp/scripts/..\../winnt/system32/cmd.exe
| > [Sun Oct 20 04:18:50 2002] [error] [client 202.64.220.x] File does =
not exist: /var/www/html/horde/imp/_vti_bin/..\../..\../..\../winnt/system32/cmd.exe
| > [Sun Oct 20 04:18:52 2002] [error] [client 202.64.220.x] File does =
not exist: /var/www/html/horde/imp/_mem_bin/..\../..\../..\../winnt/system32/cmd.exe
| > [Sun Oct 20 04:18:52 2002] [error] [client 202.64.220.x] File does =
not exist: /var/www/html/horde/imp/msadc/..\../..\../..\/..Á^\../..Á^\../..Á^\../winnt/system32/cmd.exe
| > [Sun Oct 20 04:18:52 2002] [error] [client 202.64.220.x] File does =
not exist: /var/www/html/horde/imp/scripts/..Á^\../winnt/system32/cmd.exe
| > 
| > Why am I getting these errors? I used both Netscape 7 and IE 6 =
browser on Win2K to access the IMP mail server running on Linux. I also used Apache 2.0.4 on Redhat 8 on my development system and it showed the same weird messages on the logs. 
| > 
| > Anyone care to comment? Why the IMP tried to access winnt stuff? Am =
I under attacks? My virus scan showed nothing. 
| > 
| > Regards,
| > Fred
| > 
| -- 
| ---------------------------------------------------
| |Juan Enrique Gomez Perez
| | Ingeniero de Sistemas
| |Metropoli2000 Networks, S.L.
| | Phone: +34 914250023 Fax: +34 914250136
| | email: juan.enrique.gomez@metropoli2000.com
| --------------------------------------------------
|