Re: Unicode worm?

From: Kurt Seifried (bugtraqat_private)
Date: Wed Aug 21 2002 - 22:45:02 PDT

  • Next message: Deus, Attonbitus: "RE: Unicode worm?"

    >   I've noticed some activity on a couple of web servers which I'm trying
    > find an explanation for.  It's been happening for about 2 months.  Here's
    > log snippet :
    > [08-21-2002 - 00:56:11] Client at x.x.x.x: URL normalization was not
    > complete after one pass. Request will be rejected.  Site Instance='1', Raw
    > URL='/scripts/..%255c%255c../winnt/system32/cmd.exe'
    I've got these requests going back to May, beyond that I'd have to
    uncompress logs but who cares. If I grep for "255" and/or ".." and
    "cmd.exe"... well.. yeah. lots and lots of entries. It's code
    red/blue/green/god knows what and Nimda and lord knows what else.
    Make sure your servers are patched before they go online and if you're like
    me find someone nice to have dinner with and forget about it. There are much
    better things to do in life then worrying about the latest (or not so
    latest) windows worm.
    Kurt Seifried, kurtat_private
    A15B BEE5 B391 B9AD B0EF
    AEB0 AD63 0B4E AD56 E574
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Thu Aug 22 2002 - 08:59:36 PDT