Hi! > I and a few others I know are getting bombard on our machines with IIS > requests.... "a few others" seems to be a bit of an understatement. > looks like another worm, and its much smarter than before, it > seems to stay within the same class A and sometimes the same class B as the > attacking machine is in. here is an excerpt of what i believe is the full > scan.... It doesn't always stay in the same subnet, as can be seen from these two lines from the same server: 38.25.22.71 - - [18/Sep/2001:17:17:35 +0200] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 287 132.229.26.66 - - [18/Sep/2001:17:17:39 +0200] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 at the moment I am getting well over a 100 attempts per minute. these rules (for linux 2.4.x and 2.5.x kernels running iptables) will stop the worm at the firewall: $IPTABLES -I INPUT -p tcp --dport 80 -m string --string cmd.exe -m state --state ESTABLISHED -j REJECT --reject-with tcp-reset $IPTABLES -I INPUT -p tcp --dport 80 -m string --string root.exe -m state --state ESTABLISHED -j REJECT --reject-with tcp-reset Cheers, Yuri. -------------------------------------------------------------------------- Yuri Robbers phone : +31-71-527-4966 Leiden University fax : +31-71-527-4900 Institute for Theoretical Biology email : yuriat_private Kaiserstraat 63 2311 GP Leiden PGP 5.0 public key available: the Netherlands Check your favourite hkp server. -------------------------------------------------------------------------- ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 09:14:20 PDT