[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[port139:00694] Re: Nimda $B%o!<%`(B

To: port139@xxxxxxxxxxxxx
Subject: [port139:00694] Re: Nimda $B%o!<%`(B
From: Kenji Yamamoto <yamaken@xxxxxxxxxx>
Date: Sat, 22 Sep 2001 03:59:30 +0900
$B;3K\$G$9!#(B
(B
(B|Subject: [port139:00681] Re: Nimda $B%o!<%`(B
(B|From: hamamoto <r00t@xxxxxxxxxxx>
(B|Date: Wed, 19 Sep 2001 22:01:56 +0900
(B|Message-Id: <20010919215834.BB23.R00T@xxxxxxxxxxx>
(B|User-Agent: Becky! ver. 2.00
(B
(B| > $B$3$s$P$s$O!">.@n$G$9!#(B
(B| > $B$J$<$+$3$3$G$Oe$2$i$l$F$$$J$$$h$&$G$9$N$G!&!&!&(B(^^;
(B| > $B0l1~B?>/>pJs$r!#(B
(B| > http://www.microsoft.com/japan/technet/security/nimdaalrt.asp
(B| > http://www.symantec.com/region/jp/sarcj/data/w/w32.nimda.a@xxxxxxx
(B| > $B%5!<%P@_Dj$K4X$7$F$O(BCodeRed$BBP:v$7$F$??M$O0B?4$i$7$$$G$9!#(B
(B
$B%^%$%/%m%=%U%H$N%5%$%H$+$iL5=~%@%&%s%m!<%I$G$-$k(B URLscan $B$H!"(BCCS 
$BD9C+@n;a$Ne5-(B TechNet $B%5%$%H$G$N5-=R(B
$B$N$[$+!"$3$l$i$rE,MQ$7$?$3$H$bAjPX$C$F!"2?$H$+L5Fq$J>uBV$K$J$C$F(B
$B$$$k$h$&$G$9!#(B Windows XP Professional $B$N(B Personal Firewall $B$b$H(B
$B$j$"$($:M-8z$K$7$F!"MM;R$r8+$F$$$^$9!#(B
(B
(B# $B$7$+$7!"46@w$7$?$H;W$o$l$kCu$O!"$$$d$G$9$M$'!#(B
(B
(BURL Scan
(Bhttp://www.microsoft.com/downloads/release.asp?ReleaseID=32571
(BIIS Lockdown Tool
(Bhttp://www.microsoft.com/downloads/release.asp?ReleaseID=32362
(BGuard3.dll
(Bhttp://www.trusnet.com/tools/guard3/index.html
(Bhttp://www.port139.co.jp/guard3/
(B
$B%m%0=PNONc(B
(B
(BURL Scan
(B------------------------------------------------------------
(B[$B6b(B, 9 21 2001 - 21:23:31] ---------- UrlScan.dll Initializing ----------
(B[$B6b(B, 9 21 2001 - 21:23:31] URLs will be normalized before analysis.
(B[$B6b(B, 9 21 2001 - 21:23:31] URL normalization will be verified.
(B[$B6b(B, 9 21 2001 - 21:23:31] URLs may contain OEM, international and UTF-8 characters.
(B[$B6b(B, 9 21 2001 - 21:23:31] URLs must not contain any dot except for the file extension.
(B[$B6b(B, 9 21 2001 - 21:23:31] Only the following verbs will be allowed (case sensitive):
(B[$B6b(B, 9 21 2001 - 21:23:31] 	'GET'
(B[$B6b(B, 9 21 2001 - 21:23:31] 	'HEAD'
(B[$B6b(B, 9 21 2001 - 21:23:31] 	'POST'
(B[$B6b(B, 9 21 2001 - 21:23:31] Requests for following extensions will be rejected:
(B[$B6b(B, 9 21 2001 - 21:23:31] 	'.exe'
(B[$B6b(B, 9 21 2001 - 21:23:31] 	'.bat'
(B[$B6b(B, 9 21 2001 - 21:23:31] 	'.cmd'
(B[$B6b(B, 9 21 2001 - 21:23:31] 	'.com'
(B[$B6b(B, 9 21 2001 - 21:23:31] 	'.htw'
(B[$B6b(B, 9 21 2001 - 21:23:31] 	'.ida'
(B[$B6b(B, 9 21 2001 - 21:23:31] 	'.idq'
(B[$B6b(B, 9 21 2001 - 21:23:31] 	'.htr'
(B[$B6b(B, 9 21 2001 - 21:23:31] 	'.idc'
(B[$B6b(B, 9 21 2001 - 21:23:31] 	'.shtm'
(B[$B6b(B, 9 21 2001 - 21:23:31] 	'.shtml'
(B[$B6b(B, 9 21 2001 - 21:23:31] 	'.stm'
(B[$B6b(B, 9 21 2001 - 21:23:31] 	'.printer'
(B[$B6b(B, 9 21 2001 - 21:23:31] 	'.ini'
(B[$B6b(B, 9 21 2001 - 21:23:31] 	'.log'
(B[$B6b(B, 9 21 2001 - 21:23:31] 	'.pol'
(B[$B6b(B, 9 21 2001 - 21:23:31] 	'.dat'
(B[$B6b(B, 9 21 2001 - 21:23:31] Requests containing the following headers will be rejected:
(B[$B6b(B, 9 21 2001 - 21:23:31] 	'translate:'
(B[$B6b(B, 9 21 2001 - 21:23:31] 	'if:'
(B[$B6b(B, 9 21 2001 - 21:23:31] 	'lock-token:'
(B[$B6b(B, 9 21 2001 - 21:23:31] Requests containing the following character sequences will be rejected:
(B[$B6b(B, 9 21 2001 - 21:23:31] 	'..'
(B[$B6b(B, 9 21 2001 - 21:23:31] 	'./'
(B[$B6b(B, 9 21 2001 - 21:23:31] 	'\'
(B[$B6b(B, 9 21 2001 - 21:23:31] 	':'
(B[$B6b(B, 9 21 2001 - 21:23:31] 	'%'
(B[$B6b(B, 9 21 2001 - 21:23:31] 	'&'
(B[$B6b(B, 9 21 2001 - 21:33:44] Client at ($B967bB&%[%9%H(BA): URL contains extension '.exe', which is disallowed. Request will be rejected.  Raw URL='/scripts/root.exe'
(B[$B6b(B, 9 21 2001 - 21:33:44] Client at ($B967bB&%[%9%H(BA): URL contains extension '.exe', which is disallowed. Request will be rejected.  Raw URL='/MSADC/root.exe'
(B[$B6b(B, 9 21 2001 - 21:33:44] Client at ($B967bB&%[%9%H(BA): URL contains extension '.exe', which is disallowed. Request will be rejected.  Raw URL='/c/winnt/system32/cmd.exe'
(B[$B6b(B, 9 21 2001 - 21:33:44] Client at ($B967bB&%[%9%H(BA): URL contains extension '.exe', which is disallowed. Request will be rejected.  Raw URL='/d/winnt/system32/cmd.exe'
(B[$B6b(B, 9 21 2001 - 21:33:44] Client at ($B967bB&%[%9%H(BA): URL normalization was not complete after one pass. Request will be rejected.  Raw URL='/scripts/..%255c../winnt/system32/cmd.exe'
(B[$B6b(B, 9 21 2001 - 21:33:45] Client at ($B967bB&%[%9%H(BA): URL normalization was not complete after one pass. Request will be rejected.  Raw URL='/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe'
(B[$B6b(B, 9 21 2001 - 21:33:45] Client at ($B967bB&%[%9%H(BA): URL normalization was not complete after one pass. Request will be rejected.  Raw URL='/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe'
(B[$B6b(B, 9 21 2001 - 21:33:45] Client at ($B967bB&%[%9%H(BA): URL normalization was not complete after one pass. Request will be rejected.  Raw URL='/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe'
(B[$B6b(B, 9 21 2001 - 21:33:45] Client at ($B967bB&%[%9%H(BA): URL contains '.' in the path. Request will be rejected.  Raw URL='/scripts/..%c1%1C../winnt/system32/cmd.exe'
(B[$B6b(B, 9 21 2001 - 21:33:45] Client at ($B967bB&%[%9%H(BA): URL contains extension '.exe', which is disallowed. Request will be rejected.  Raw URL='/scripts/..%c0%2F../winnt/system32/cmd.exe'
(B[$B6b(B, 9 21 2001 - 21:33:45] Client at ($B967bB&%[%9%H(BA): URL contains extension '.exe', which is disallowed. Request will be rejected.  Raw URL='/scripts/..%c0%af../winnt/system32/cmd.exe'
(B[$B6b(B, 9 21 2001 - 21:33:45] Client at ($B967bB&%[%9%H(BA): URL contains extension '.exe', which is disallowed. Request will be rejected.  Raw URL='/scripts/..%c1%9c../winnt/system32/cmd.exe'
(B[$B6b(B, 9 21 2001 - 21:33:45] Client at ($B967bB&%[%9%H(BA): URL normalization was not complete after one pass. Request will be rejected.  Raw URL='/scripts/..%255%63../winnt/system32/cmd.exe'
(B[$B6b(B, 9 21 2001 - 21:33:46] Client at ($B967bB&%[%9%H(BA): URL normalization was not complete after one pass. Request will be rejected.  Raw URL='/scripts/..%255c../winnt/system32/cmd.exe'
(B[$B6b(B, 9 21 2001 - 21:33:46] Client at ($B967bB&%[%9%H(BA): URL normalization was not complete after one pass. Request will be rejected.  Raw URL='/scripts/..%25%35%63../winnt/system32/cmd.exe'
(B[$B6b(B, 9 21 2001 - 21:33:46] Client at ($B967bB&%[%9%H(BA): URL normalization was not complete after one pass. Request will be rejected.  Raw URL='/scripts/..%252f../winnt/system32/cmd.exe'
(B[$B6b(B, 9 21 2001 - 21:49:09] Client at ($B967bB&%[%9%H(BB): URL contains extension '.exe', which is disallowed. Request will be rejected.  Raw URL='/scripts/root.exe'
(B[$B6b(B, 9 21 2001 - 21:58:20] Client at ($B967bB&%[%9%H(BC): URL contains extension '.ida', which is disallowed. Request will be rejected.  Raw URL='/default.ida'
(B[$B6b(B, 9 21 2001 - 22:00:09] Client at ($B967bB&%[%9%H(BD): URL contains extension '.ida', which is disallowed. Request will be rejected.  Raw URL='/default.ida'
(B------------------------------------------------------------
(B
(BGuard3.dl
(B------------------------------------------------------------
(B*long_url_rejected: client=($B967bB&%[%9%H(BA), server=www, date=2001/9/21_21:33:45
(BGET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
(BHost: www
(BConnnection: close
(B
(B;;;
(B
(B*characters_translated: client=($B967bB&%[%9%H(BA), server=www, date=2001/9/21_21:33:45
(BGET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0
(BHost: www
(BConnnection: close
(B
(B;;;
(B
(B*characters_translated: client=($B967bB&%[%9%H(BA), server=www, date=2001/9/21_21:33:46
(BGET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
(BHost: www
(BConnnection: close
(B
(B;;;
(B
(B*long_url_rejected: client=($B967bB&%[%9%H(BC), server=($B;d$NCe(B
(B
$B;3K\8,http://www.jwntug.or.jp/tech/technote/index-j.html
(BJWNTUG NT-FAQ-J http://www.jwntug.or.jp/tech/ntfaqj/index.html
(BKenji Yamamoto MCP+I, MCSE(TCP/IP, IEAK4, IIS 4.0)
(Bmailto:ethernet@xxxxxxxxxxxxxxxx
References:
- [port139:00681] Re: Nimda $B%o!<%`(B
  - From: hamamoto
Prev by Date: [port139:00693] $BCf9q0l9f(B
Next by Date: [port139:00695] TCTUTILs
Previous by thread: [port139:00681] Re: Nimda $B%o!<%`(B
Next by thread: [port139:00682] $B%;%-%e%j%F%#(B$B%9%?%8%"%`(B
Index(es):
- Date
- Thread
[port139:00694] Re: Nimda $B%o!<%`(B

[port139:00694] Re: Nimda $B%o!<%`(B
