What should i look for in NT apache logs?

[razey]

hi!
one of my friends had his site recently defaced. this is making me kind of jittery. i went and looked at my apache log files, and notices a few odd lines. i am runnin Winnt/2k/Xp.
What should i be looking for in my logs that will give me a direct indication if someone is trying to root me? mabey error #'s or requests of certain files?
thank you,
steve

 

[RhythmAce]

If you are seeing anything that looks like this, it ain't a good thing.

[Fri Oct 26 11:17:50 2001] [error] [client 24.19.12.133] File does not exist: /var/

http://www/html/scripts/root.exe

[Fri Oct 26 12:11:05 2001] [error] [client 24.19.218.51] File does not exist: /var/

http://www/html/scripts/root.exe

[Fri Oct 26 12:11:05 2001] [error] [client 24.19.218.51] File does not exist: /var/

http://www/html/MSADC/root.exe

[Fri Oct 26 12:11:06 2001] [error] [client 24.19.218.51] File does not exist: /var/

http://www/html/c/winnt/system32/cmd.exe

[Fri Oct 26 12:11:06 2001] [error] [client 24.19.218.51] File does not exist: /var/

http://www/html/d/winnt/system32/cmd.exe

[Fri Oct 26 12:11:06 2001] [error] [client 24.19.218.51] File does not exist: /var/

http://www/html/scripts/..\../winnt/system32/cmd.exe

[Fri Oct 26 12:11:06 2001] [error] [client 24.19.218.51] File does not exist: /var/

http://www/html/_vti_bin/..\../..\../..\../winnt/system32/cmd.exe

[Fri Oct 26 12:11:07 2001] [error] [client 24.19.218.51] File does not exist: /var/

http://www/html/_mem_bin/..\../..\../..\../winnt/system32/cmd.exe

If you are running windows, I would check with microsoft to see what they have for the NIMDA virus. Linux users don't have to worry but it does fill up a log file fast.

 

[razey]

oh i see plenty of those lines in my error and access log. i was told that this was the effects of nimda, so i did a scan and came up with nothing. should i still be worrying at the moment?