I was looking through my logs and found some hits yesterday morning that are reminiscent of today's worm - 66.31.95.41 - - [17/Sep/2001:08:13:42 -0700] "GET /msadc/root.exe?/c+dir HTTP/1.0" 404 276 "-" "-" 66.31.95.41 - - [17/Sep/2001:08:13:42 -0700] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 278 "-" "-" on my server at 64.81.65.40, and 66.31.95.41 - - [17/Sep/2001:08:13:43 -0700] "GET /msadc/root.exe?/c+dir HTTP/1.0" 404 284 "-" "-" 66.31.95.41 - - [17/Sep/2001:08:13:43 -0700] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 286 "-" "-" on my server at 64.81.65.41; the machine located at 66.31.95.41 serves up a page with a rant about morality and religion purporting to be from Fluffi Bunni (or Philo Bunny), along with electronic copies of books about vi, sed, TCP/IP, and C. The <title> of the page is "sh0dan.org", and it appears to be a copy of the pages which are available at <http://sh0dan.org>. (that's a zero, not an "oh", in "sh0dan".) I wonder if 66.31.95.41 was an early infection vector - has that machine shown up in others' logs? -- Greg Broiles gbroilesat_private "We have found and closed the thing you watch us with." -- New Delhi street kids ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 16:17:33 PDT