Code Red III?

Tue, 18 Sep 2001 06:24:04 -0700 

Heads up.  Pay attention to your servers today.  I just started detecting a
*ton* of these requests.  I think it's a follow-up worm programmed to take
advantage of the backdoors Code Red dropped on infected computers.  Maybe a
Code Red III?

The following log items are from NukeNabber running on my local machine.
Anyone else seen anything about this?  I just noticed it.

-Cameron

--------------------
Cameron Childress
elliptIQ Inc.
p.770.460.1035.232
f.770.460.0963
--
http://www.neighborware.com
America's Leading Community Network Software



[09/18/2001 09:25:55.136 GMT-0400] Connection: dhcp181.onewebsystems.com
(130.205.102.181) on port 80 (tcp).
[09/18/2001 09:25:55.166 GMT-0400] GET /scripts/root.exe?/c+dir HTTP/1.0
Host: www
Connnection: close


[09/18/2001 09:25:55.176 GMT-0400] Port 80 (tcp) is now disabled for 60
seconds.
[09/18/2001 09:26:55.182 GMT-0400] Port 80 (tcp) is re-enabled.
[09/18/2001 09:34:39.600 GMT-0400] Connection: anhb.uwa.edu.au
(130.95.96.22) on port 80 (tcp).
[09/18/2001 09:34:39.630 GMT-0400] GET /scripts/root.exe?/c+dir HTTP/1.0
Host: www
Connnection: close


[09/18/2001 09:34:39.640 GMT-0400] Port 80 (tcp) is now disabled for 60
seconds.
[09/18/2001 09:35:38.865 GMT-0400] Port 80 (tcp) is re-enabled.
[09/18/2001 09:36:24.681 GMT-0400] Connection: OWSAFCE (130.205.102.205) on
port 80 (tcp).
[09/18/2001 09:36:24.711 GMT-0400] GET /scripts/root.exe?/c+dir HTTP/1.0
Host: www
Connnection: close


[09/18/2001 09:36:24.721 GMT-0400] Port 80 (tcp) is now disabled for 60
seconds.
[09/18/2001 09:37:24.016 GMT-0400] Port 80 (tcp) is re-enabled.
[09/18/2001 09:39:18.100 GMT-0400] Connection: OWSJPA (130.205.102.192) on
port 80 (tcp).
[09/18/2001 09:39:18.130 GMT-0400] GET /scripts/root.exe?/c+dir HTTP/1.0
Host: www
Connnection: close


[09/18/2001 09:39:18.140 GMT-0400] Port 80 (tcp) is now disabled for 60
seconds.
[09/18/2001 09:40:17.265 GMT-0400] Port 80 (tcp) is re-enabled.
[09/18/2001 09:40:44.965 GMT-0400] Connection: dhcp181.onewebsystems.com
(130.205.102.181) on port 80 (tcp).
[09/18/2001 09:40:44.995 GMT-0400] GET /scripts/root.exe?/c+dir HTTP/1.0
Host: www
Connnection: close


[09/18/2001 09:40:45.005 GMT-0400] Port 80 (tcp) is now disabled for 60
seconds.
[09/18/2001 09:41:44.391 GMT-0400] Port 80 (tcp) is re-enabled.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Get the mailserver that powers this list at http://www.coolfusion.com

Archives: http://www.mail-archive.com/cf-community@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Reply via email to