Suspect Event Log
Results 1 to 5 of 5

Thread: Suspect Event Log

  1. #1
    Banned
    Join Date
    Sep 2001
    Posts
    64

    Exclamation Suspect Event Log

    After a few hours on the net I studied my event log and I found this suspect Event log. 04/25/02 5:43 454k.anmys.ca W3SVC1 WWW-2K WWW-2K.mycomputer.com 80 GET /SCRIPTS../../../WINNT.SYSTEM32/CMD.EXE / c+dir+c:\ 200 730 484 2 1+www.mysite.com MOZILLA/4.0+(compadible;+ MSIE+5.0; =win=NT) What Is that and is it dangerous it seems to me that someone probed my C dirve.

  2. #2
    Banned
    Join Date
    Oct 2001
    Posts
    1,463
    Hmmm, It could be Nimda/Code Red... Or just a vulnerability scanner

  3. #3
    Senior Member
    Join Date
    Oct 2001
    Posts
    385
    I might have been able to understand that, but I think I need it formatted to do so. Sorry.

    This line suggests to me a download for JavaScript on a web page:
    WWW-2K.mycomputer.com 80 GET /SCRIPTS../../../WINNT.SYSTEM32/CMD.EXE
    (I believe port 80 is http and the GET /SCRIPTS../../.. .. is the command issued to get the scripts from the site)
    Preliminary operational tests were inconclusive (the dang thing blew up)

    \"Ask not what the kernel can do for you, ask what you can do for the kernel!\"

  4. #4
    Senior Member
    Join Date
    Apr 2002
    Posts
    204
    Yeah port 80 is for HTTP...and the MOZILLA 4.0+5.0 is the IE version that you are running believe it or not it is a compatible version for what the page was designed for but as far as what the hell for I would have to lean with 1 or AcidSpectrums' ideas and vote for a virus just because the ...W3SVC1 WWW-2K WWW-2K.mycomputer.com looks like a signature that has to be ran and someone was trying to do it with the CMD, here is a question do you have NT based system...that is when I would wonder what was wrong. dir+c:\ 200 730 484 2 1+www.mysite.com MOZILLA/4.0+(compadible;+ MSIE+5.0; =win=NT
    Beware the quiet ones...

  5. #5
    Senior Member Ouroboros's Avatar
    Join Date
    Nov 2001
    Location
    Superior, WI USA
    Posts
    628
    The port 80 reference seems to be a negation of suspicion...probably just internet noise....probably just a cookie interaction...where have you been lately?

    Ouroboros
    "entia non sunt multiplicanda praeter necessitatem"

    "entities should not be multiplied beyond necessity."

    -Occam's Razor


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides