May 2nd, 2002, 01:32 AM
Suspect Event Log
After a few hours on the net I studied my event log and I found this suspect Event log. 04/25/02 5:43 454k.anmys.ca W3SVC1 WWW-2K WWW-2K.mycomputer.com 80 GET /SCRIPTS../../../WINNT.SYSTEM32/CMD.EXE / c+dir+c:\ 200 730 484 2 1+www.mysite.com MOZILLA/4.0+(compadible;+ MSIE+5.0; =win=NT) What Is that and is it dangerous it seems to me that someone probed my C dirve.
May 2nd, 2002, 01:42 AM
Hmmm, It could be Nimda/Code Red... Or just a vulnerability scanner
May 2nd, 2002, 02:14 AM
I might have been able to understand that, but I think I need it formatted to do so. Sorry.
WWW-2K.mycomputer.com 80 GET /SCRIPTS../../../WINNT.SYSTEM32/CMD.EXE
(I believe port 80 is http and the GET /SCRIPTS../../.. .. is the command issued to get the scripts from the site)
Preliminary operational tests were inconclusive (the dang thing blew up)
\"Ask not what the kernel can do for you, ask what you can do for the kernel!\"
May 2nd, 2002, 02:28 AM
Yeah port 80 is for HTTP...and the MOZILLA 4.0+5.0 is the IE version that you are running believe it or not it is a compatible version for what the page was designed for but as far as what the hell for I would have to lean with 1 or AcidSpectrums' ideas and vote for a virus just because the ...W3SVC1 WWW-2K WWW-2K.mycomputer.com looks like a signature that has to be ran and someone was trying to do it with the CMD, here is a question do you have NT based system...that is when I would wonder what was wrong. dir+c:\ 200 730 484 2 1+www.mysite.com MOZILLA/4.0+(compadible;+ MSIE+5.0; =win=NT
May 2nd, 2002, 02:54 AM
The port 80 reference seems to be a negation of suspicion...probably just internet noise....probably just a cookie interaction...where have you been lately?
"entia non sunt multiplicanda praeter necessitatem"
"entities should not be multiplied beyond necessity."