R: [imp] Apache errors regarding IMP

Giovanni Riganti griganti@eco.uninsubria.it
Mon Oct 21 15:34:25 2002
Previous message: [imp] Apache errors regarding IMP
Next message: [imp] Apache errors regarding IMP
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Try this scanner

Nimda Scanner from eEye Digital Security
http://www.eeye.com/html/Research/Tools/nimda.html

and scan the host 202.64.220.0/24 

Bye,
Gio 

:> -----Messaggio originale-----
:> Da: imp-bounces@lists.horde.org =
[mailto:imp-bounces@lists.horde.org]Per
:> conto di Frederick Ho
:> Inviato: lunedì 21 ottobre 2002 16:14
:> A: Juan Enrique Gómez
:> Cc: IMP mail-list
:> Oggetto: Re: [imp] Apache errors regarding IMP
:> 
:> 
:> Hmm, my virus scan on my Win2k workstation showed nothing. I 
:> properly need another virus scanner. 
:> But is it that it is my infected computer sending the Apache 
:> with bad HTML instructions to IMP?
:> 
:> Regard,
:> Fred
:> 
:> ----- Original Message ----- 
:> From: "Juan Enrique Gómez" <juanen@metropoli2000.com>
:> To: "Frederick Ho" <fkho@netvigator.com>
:> Cc: "IMP mail-list" <imp@lists.horde.org>
:> Sent: Monday, October 21, 2002 9:12 PM
:> Subject: Re: [imp] Apache errors regarding IMP
:> 
:> 
:> | El lun, 21-10-2002 a las 15:02, Frederick Ho escribió:
:> | 
:> | Hi!
:> | 
:> | This is typically produced from virus infected systems, i think is
:> | called Nimbda, check if that ip is your, if so then your computer =
has
:> | this worm. Any way this worm only affects to non-patched iis 
:> servers, if
:> | you use apache you should not worry except for the infected =
computers.
:> | 
:> | Best,
:> | 
:> | > Hi,
:> | >   I am currently running Horde 2.1, IMP 3.1 in RedHat 7.2 
:> with Apache 1.3.23 and logged some weird messages in the Apache logs.
:> | > 
:> | >   Has anyone see the following errors in the Linux 
:> httpd/access_log, httpd/error_log regarding the Horde/IMP errors?
:> | > 
:> | > > httpd/access_log
:> | > 202.64.220.x - - [20/Oct/2002:21:16:28 +0800] "GET 
:> =
/horde/imp/view.php?thismailbox=INBOX&index=1941&id=2&actionID=11
:> 3&mime=9d1caf7ffd290b8e7ebeecded7496350 HTTP/1.1" 200 5894947
:> | > 202.64.220.x - - [20/Oct/2002:21:17:09 +0800] "GET 
:> /scripts/root.exe?/c+dir HTTP/1.1" 404 295
:> | > 202.64.220.x - - [20/Oct/2002:21:17:09 +0800] "GET 
:> /MSADC/root.exe?/c+dir HTTP/1.1" 404 293
:> | > 202.64.220.x - - [20/Oct/2002:21:17:10 +0800] "GET 
:> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.1" 404 303
:> | > 202.64.220.x - - [20/Oct/2002:21:17:10 +0800] "GET 
:> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.1" 404 303
:> | > 202.64.220.x - - [20/Oct/2002:21:17:13 +0800] "GET 
:> /scripts/..%5C../winnt/system32/cmd.exe?/c+dir HTTP/1.1" 404 315
:> | > 202.64.220.x - - [20/Oct/2002:21:17:13 +0800] "GET 
:> /_vti_bin/..%5C../..%5C../..%5C../winnt/system32/cmd.exe?/c+dir 
:> HTTP/1.1" 404 328
:> | > 202.64.220.x - - [20/Oct/2002:21:17:14 +0800] "GET 
:> /_mem_bin/..%5C../..%5C../..%5C../winnt/system32/cmd.exe?/c+dir 
:> HTTP/1.1" 404 328
:> | > 
:> | > > httpd/error_log
:> | > [Sun Oct 20 04:18:46 2002] [error] [client 202.64.220.x] 
:> File does not exist: /var/www/html/horde/imp/scripts/root.exe
:> | > [Sun Oct 20 04:18:46 2002] [error] [client 202.64.220.x] 
:> File does not exist: /var/www/html/horde/imp/MSADC/root.exe
:> | > [Sun Oct 20 04:18:47 2002] [error] [client 202.64.220.x] 
:> File does not exist: /var/www/html/horde/imp/c/winnt/system32/cmd.exe
:> | > [Sun Oct 20 04:18:47 2002] [error] [client 202.64.220.x] 
:> File does not exist: /var/www/html/horde/imp/d/winnt/system32/cmd.exe
:> | > [Sun Oct 20 04:18:47 2002] [error] [client 202.64.220.x] 
:> File does not exist: 
:> /var/www/html/horde/imp/scripts/..\../winnt/system32/cmd.exe
:> | > [Sun Oct 20 04:18:50 2002] [error] [client 202.64.220.x] 
:> File does not exist: 
:> =
/var/www/html/horde/imp/_vti_bin/..\../..\../..\../winnt/system32/cmd.exe
:> | > [Sun Oct 20 04:18:52 2002] [error] [client 202.64.220.x] 
:> File does not exist: 
:> =
/var/www/html/horde/imp/_mem_bin/..\../..\../..\../winnt/system32/cmd.exe
:> | > [Sun Oct 20 04:18:52 2002] [error] [client 202.64.220.x] 
:> File does not exist: 
:> =
/var/www/html/horde/imp/msadc/..\../..\../..\/..Á^\../..Á^\../..Á
:> ^\../winnt/system32/cmd.exe
:> | > [Sun Oct 20 04:18:52 2002] [error] [client 202.64.220.x] 
:> File does not exist: 
:> /var/www/html/horde/imp/scripts/..Á^\../winnt/system32/cmd.exe
:> | > 
:> | > Why am I getting these errors? I used both Netscape 7 and IE 
:> 6 browser on Win2K to access the IMP mail server running on 
:> Linux. I also used Apache 2.0.4 on Redhat 8 on my development 
:> system and it showed the same weird messages on the logs. 
:> | > 
:> | > Anyone care to comment? Why the IMP tried to access winnt 
:> stuff? Am I under attacks? My virus scan showed nothing. 
:> | > 
:> | > Regards,
:> | > Fred
:> | > 
:> | -- 
:> | ---------------------------------------------------
:> | |Juan Enrique Gomez Perez
:> | | Ingeniero de Sistemas
:> | |Metropoli2000 Networks, S.L.
:> | | Phone: +34 914250023 Fax: +34 914250136
:> | | email: juan.enrique.gomez@metropoli2000.com
:> | --------------------------------------------------
:> | 
:> 
:> -- 
:> IMP mailing list
:> Frequently Asked Questions: http://horde.org/faq/
:> To unsubscribe, mail: imp-unsubscribe@lists.horde.org
:>
Previous message: [imp] Apache errors regarding IMP
Next message: [imp] Apache errors regarding IMP
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]