R: [imp] Apache errors regarding IMP
Giovanni Riganti
griganti@eco.uninsubria.it
Mon Oct 21 15:34:25 2002
Try this scanner
Nimda Scanner from eEye Digital Security
http://www.eeye.com/html/Research/Tools/nimda.html
and scan the host 202.64.220.0/24
Bye,
Gio
:> -----Messaggio originale-----
:> Da: imp-bounces@lists.horde.org =
[mailto:imp-bounces@lists.horde.org]Per
:> conto di Frederick Ho
:> Inviato: lunedì 21 ottobre 2002 16:14
:> A: Juan Enrique Gómez
:> Cc: IMP mail-list
:> Oggetto: Re: [imp] Apache errors regarding IMP
:>
:>
:> Hmm, my virus scan on my Win2k workstation showed nothing. I
:> properly need another virus scanner.
:> But is it that it is my infected computer sending the Apache
:> with bad HTML instructions to IMP?
:>
:> Regard,
:> Fred
:>
:> ----- Original Message -----
:> From: "Juan Enrique Gómez" <juanen@metropoli2000.com>
:> To: "Frederick Ho" <fkho@netvigator.com>
:> Cc: "IMP mail-list" <imp@lists.horde.org>
:> Sent: Monday, October 21, 2002 9:12 PM
:> Subject: Re: [imp] Apache errors regarding IMP
:>
:>
:> | El lun, 21-10-2002 a las 15:02, Frederick Ho escribió:
:> |
:> | Hi!
:> |
:> | This is typically produced from virus infected systems, i think is
:> | called Nimbda, check if that ip is your, if so then your computer =
has
:> | this worm. Any way this worm only affects to non-patched iis
:> servers, if
:> | you use apache you should not worry except for the infected =
computers.
:> |
:> | Best,
:> |
:> | > Hi,
:> | > I am currently running Horde 2.1, IMP 3.1 in RedHat 7.2
:> with Apache 1.3.23 and logged some weird messages in the Apache logs.
:> | >
:> | > Has anyone see the following errors in the Linux
:> httpd/access_log, httpd/error_log regarding the Horde/IMP errors?
:> | >
:> | > > httpd/access_log
:> | > 202.64.220.x - - [20/Oct/2002:21:16:28 +0800] "GET
:> =
/horde/imp/view.php?thismailbox=INBOX&index=1941&id=2&actionID=11
:> 3&mime=9d1caf7ffd290b8e7ebeecded7496350 HTTP/1.1" 200 5894947
:> | > 202.64.220.x - - [20/Oct/2002:21:17:09 +0800] "GET
:> /scripts/root.exe?/c+dir HTTP/1.1" 404 295
:> | > 202.64.220.x - - [20/Oct/2002:21:17:09 +0800] "GET
:> /MSADC/root.exe?/c+dir HTTP/1.1" 404 293
:> | > 202.64.220.x - - [20/Oct/2002:21:17:10 +0800] "GET
:> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.1" 404 303
:> | > 202.64.220.x - - [20/Oct/2002:21:17:10 +0800] "GET
:> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.1" 404 303
:> | > 202.64.220.x - - [20/Oct/2002:21:17:13 +0800] "GET
:> /scripts/..%5C../winnt/system32/cmd.exe?/c+dir HTTP/1.1" 404 315
:> | > 202.64.220.x - - [20/Oct/2002:21:17:13 +0800] "GET
:> /_vti_bin/..%5C../..%5C../..%5C../winnt/system32/cmd.exe?/c+dir
:> HTTP/1.1" 404 328
:> | > 202.64.220.x - - [20/Oct/2002:21:17:14 +0800] "GET
:> /_mem_bin/..%5C../..%5C../..%5C../winnt/system32/cmd.exe?/c+dir
:> HTTP/1.1" 404 328
:> | >
:> | > > httpd/error_log
:> | > [Sun Oct 20 04:18:46 2002] [error] [client 202.64.220.x]
:> File does not exist: /var/www/html/horde/imp/scripts/root.exe
:> | > [Sun Oct 20 04:18:46 2002] [error] [client 202.64.220.x]
:> File does not exist: /var/www/html/horde/imp/MSADC/root.exe
:> | > [Sun Oct 20 04:18:47 2002] [error] [client 202.64.220.x]
:> File does not exist: /var/www/html/horde/imp/c/winnt/system32/cmd.exe
:> | > [Sun Oct 20 04:18:47 2002] [error] [client 202.64.220.x]
:> File does not exist: /var/www/html/horde/imp/d/winnt/system32/cmd.exe
:> | > [Sun Oct 20 04:18:47 2002] [error] [client 202.64.220.x]
:> File does not exist:
:> /var/www/html/horde/imp/scripts/..\../winnt/system32/cmd.exe
:> | > [Sun Oct 20 04:18:50 2002] [error] [client 202.64.220.x]
:> File does not exist:
:> =
/var/www/html/horde/imp/_vti_bin/..\../..\../..\../winnt/system32/cmd.exe
:> | > [Sun Oct 20 04:18:52 2002] [error] [client 202.64.220.x]
:> File does not exist:
:> =
/var/www/html/horde/imp/_mem_bin/..\../..\../..\../winnt/system32/cmd.exe
:> | > [Sun Oct 20 04:18:52 2002] [error] [client 202.64.220.x]
:> File does not exist:
:> =
/var/www/html/horde/imp/msadc/..\../..\../..\/..Á^\../..Á^\../..Á
:> ^\../winnt/system32/cmd.exe
:> | > [Sun Oct 20 04:18:52 2002] [error] [client 202.64.220.x]
:> File does not exist:
:> /var/www/html/horde/imp/scripts/..Á^\../winnt/system32/cmd.exe
:> | >
:> | > Why am I getting these errors? I used both Netscape 7 and IE
:> 6 browser on Win2K to access the IMP mail server running on
:> Linux. I also used Apache 2.0.4 on Redhat 8 on my development
:> system and it showed the same weird messages on the logs.
:> | >
:> | > Anyone care to comment? Why the IMP tried to access winnt
:> stuff? Am I under attacks? My virus scan showed nothing.
:> | >
:> | > Regards,
:> | > Fred
:> | >
:> | --
:> | ---------------------------------------------------
:> | |Juan Enrique Gomez Perez
:> | | Ingeniero de Sistemas
:> | |Metropoli2000 Networks, S.L.
:> | | Phone: +34 914250023 Fax: +34 914250136
:> | | email: juan.enrique.gomez@metropoli2000.com
:> | --------------------------------------------------
:> |
:>
:> --
:> IMP mailing list
:> Frequently Asked Questions: http://horde.org/faq/
:> To unsubscribe, mail: imp-unsubscribe@lists.horde.org
:>