ISP: attbi and kcl.net YOU MAY BE ABLE TO HELP PREVENT THE NEXT SLAMMER TYPE NETWORK MELTDOWN. YOU HAVE TWO CLIENTS INFECTED WITH THIS NEW WORM NOW. DON'T WAIT TILL ITS TOO LATE. Source ip addresses involved so far are 216.5.78.37 and 12.210.139.132 If any of your recent penetration tests revealed a WEBDAV weakness, you MUST TAKE YOUR SERVER OFF LINE NOW and make sure it was not infected. If you have any MS servers inside your network that may be vulnerable, take them off line until you can apply the patch. A worm can work its way into your network via email or other means and they can infect servers and workstations running MS SERVER behind the firewall. A new WEBDAV worm is roaming the internet RIGHT NOW. Yesterday, it was announced that security company ISS had one of their servers compromised and web site defaced using a vulnerability in Microsoft's WEBDAV (ISS later announced that they meant for that server to be hacked to track hacker and worm activity, see story at: http://www.zone-h.org/en/defacements/view/id=258882 Last night, we saw over one thousand servers attacked on more than 6 different networks by what appeared to be a worm that used the same code as found in discussions about this worm. This did not appear to be normal, and it appears to be a sequential scan. What this means, is that hackers are looking for servers who have weaknesses in their WEBDAV, and have not applied patch ms03-007. If you have not applied that patch, we suggest you take your server off line immediately and then you must check your server and server logs for attacks. In your server logs you may find a string like this: SEARCH / HTTP/1.1\r\n", "Host: nnnnnn" Where nnnnn is your host name or ip address. We have good confidence that there is a worm at work due to the following: A) the host inserted in the string is the IP address, and not the hostname (any reference to your web site would have been via name) B) this worm has attacked 6 different networks so far, in one case hitting 740 ip address on one network and 504 ip addresses on another network. C) worm has attempted to contact hosts that are not running a web server (scanning) D) Once worm finds a web server, it only sends the search string to MS servers. For more information on worm, see: see MS announcement of vulnerability March 17th: http://www.microsoft.com/technet/security/bulletin/ms03-007.asp For lists of the source ip addresses and networks attacked, see: http://www.hackertrap.net/IP.pl?IP=216.5.78.37 and http://www.hackertrap.net/IP.pl?IP=12.210.139.232 -- Michael Scheidell SECNAP Network Security, LLC (561) 368-9561 scheidellat_private http://www.secnap.net _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Wed May 07 2003 - 06:16:10 PDT