Re: [squid-users] WinNT Server Access Problem

From: Robert Collins <robert.collins@dont-contact.us>
Date: Wed, 19 Sep 2001 18:22:22 +1000

Like Joe Cooper, I am subscribed to squid-users. There's no need to send
direct email.

I'm not sure, I'd need to go check the source.

Rob

----- Original Message -----
From: "khiz code" <khizcode@yahoo.com>
To: "Robert Collins" <robert.collins@itdomain.com.au>
Sent: Wednesday, September 19, 2001 4:30 PM
Subject: RE: [squid-users] WinNT Server Access Problem

> ive got something similar
> the only differnec is that i get NONE in place of DIRECT
> does this mean that the request is not forwarded to teh destination
> host
> rgds
> khizcode
>
> --- Robert Collins <robert.collins@itdomain.com.au> wrote:
> > You've been hit by W32/NIMDA. It's a worm.
> >
> > Rob
> >
> > > -----Original Message-----
> > > From: Arvin V. Carlos [mailto:spaceman@server.pccomshop.com]
> > > Sent: Wednesday, September 19, 2001 12:33 PM
> > > To: Squid Users Mailing List
> > > Cc: orly@mozcom.com
> > > Subject: [squid-users] WinNT Server Access Problem
> > >
> > >
> > >
> > > We have two NT 4.0 running IIS, suddenly our squid went down
> > > because of
> > > disk space problme, we check our log files and it eats pur disk
> > space
> > > beacuse of our NT Machines try to resolv this all the time:
> > >
> > > 255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winn
> > > t/system32/cmd.exe
> > > ? - DIRECT/www -
> > > 1000866350.455 1 208.142.136.115 TCP_MISS/503 1202 GET
> > > http://www/scripts/.
> > > .%c1%1c../winnt/system32/cmd.exe? - DIRECT/www -
> > > 1000866350.487 1 208.142.136.115 TCP_MISS/503 1168 GET
> > > http://www/c/winnt/s
> > > ystem32/cmd.exe? - DIRECT/www -
> > > 1000866350.496 1 208.142.136.115 TCP_MISS/503 1168 GET
> > > http://www/d/winnt/s
> > > ystem32/cmd.exe? - DIRECT/www -
> > > 1000866350.505 2 208.142.136.115 TCP_MISS/503 1200 GET
> > > http://www/scripts/.
> > > .%255c../winnt/system32/cmd.exe? - DIRECT/www -
> > > 1000866350.514 2 208.142.136.115 TCP_MISS/503 1242 GET
> > > http://www/_vti_bin/
> > > ..%255c../..%255c../..%255c../winnt/system32/cmd.exe? - DIRECT/www
> > -
> > > 1000866350.530 1 208.142.136.115 TCP_MISS/503 1242 GET
> > > http://www/_mem_bin/
> > > ..%255c../..%255c../..%255c../winnt/system32/cmd.exe? - DIRECT/www
> > -
> > > 1000866350.539 2 208.142.136.115 TCP_MISS/503 1299 GET
> > > http://www/msadc/..%
> > > 255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winn
> > > t/system32/cmd.exe
> > > ? - DIRECT/www -
> > > 1000866350.548 2 208.142.136.115 TCP_MISS/503 1202 GET
> > > http://www/scripts/.
> > > .%c1%1c../winnt/system32/cmd.exe? - DIRECT/www -
> > > 1000866350.557 1 208.142.136.115 TCP_MISS/503 1202 GET
> > > http://www/scripts/.
> > > .%c0%2f../winnt/system32/cmd.exe? - DIRECT/www -
> > >
> > >
> > > anyone can explain this? this is a virus? pls HELP!!!
> > >
> > > --
> > > ==============================================================
> > > =================
> > > Arvin V. Carlos Office Phone:
> > > Linux System Administrator (047)237-6001/237-6002
> > > Pccomshop Inc.
> > http://www.pccomshop.com
> >
> > -- Some people are afraid of nothing! --
> >
>
========================================================================
> > =======
> >
>
>
> __________________________________________________
> Terrorist Attacks on U.S. - How can you help?
> Donate cash, emergency relief information
> http://dailynews.yahoo.com/fc/US/Emergency_Information/
>
Received on Wed Sep 19 2001 - 02:21:35 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:02:17 MST