[e-smith-devinfo] FYI - new worm appears to be hitting Microsoft IIS servers

Tue, 18 Sep 2001 09:00:32 -0700 

FYI, this does not directly affect any of our (Apache) web servers,
but it is additional traffic hitting all of us and slowing things down...
there appears to be a new Code Red-ish type of worm going around right
now hitting an old vulnerability in Microsoft IIS. If you look in 
/var/log/httpd/access_log, you may see junk like:

   www.lodestar2.dyndns.org 24.43.136.68 - - [18/Sep/2001:12:11:57 -0400]
   "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
   404 232 "-" "-"
   www.lodestar2.dyndns.org 24.43.215.118 - - [18/Sep/2001:12:12:00 -0400]
   "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-"
   www.lodestar2.dyndns.org 24.43.215.118 - - [18/Sep/2001:12:12:00 -0400]
   "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-"

The key part is 'cmd.exe'.  It appears to have just started hitting my home
(e-smith) server today:

  # grep cmd.exe /var/log/httpd/access_log* | wc
     1687   21930  307204
  # grep cmd.exe /var/log/httpd/access_log* | grep 18/Sep | wc
     1686   21918  307035

(The first command looks at ALL access logs and pipes the output to 'wc' where
the first number is the number of lines (i.e. entries) in the file that are 
pulled out by grep.  The second command pipes the initial output through a
second grep where it isolates only entries from today.)

Interestingly, the 1 other instance of this string came not from yesterday but
back on August 20th.  In a quick scan of http://www.incidents.org/ I didn't
see anything (yet), but a member of our local LUG posted the following link
to a story on Slashdot:

  http://slashdot.org/articles/01/09/18/151203.shtml

I didn't have time to look at it other than a VERY brief scan... but it sounds
like this is maybe something launched by people opening attachments. 

Anyway, this new beastie appears to be out there and annoying systems near
you...  (I received another 200 hits by it in the time it took me to write
this message.)

Dan


-- 
Dan York, Director of Training        [EMAIL PROTECTED]
Ph: +1-613-751-4401 Cell: +1-613-263-4312 Fax: +1-613-564-7739 
Mitel Network Corporation Network Server Solutions Group 
150 Metcalfe St., Suite 1500, Ottawa,ON K2P 1P1 Canada
http://www.e-smith.com/            http://www.mitel.com/           

--
Please report bugs to [EMAIL PROTECTED]
Please mail [EMAIL PROTECTED] (only) to discuss security issues
Support for registered customers and partners to [EMAIL PROTECTED]
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org

Reply via email to