Re: [e-smith-devinfo] FYI - new worm appears to be hitting Microsoft IIS servers

Tue, 18 Sep 2001 18:04:38 -0700 

The common character string for this worm is 'c_dir'

  cat /var/log/httpd/access_log |grep 'cmd.exe' | wc -l
   3132
  cat /var/log/httpd/access_log |grep 'root.exe' | wc -l
    683
  cat /var/log/httpd/access_log |grep 'c+dir' | wc -l
   3815

3132 + 683 = 3815

BTW, you can produce a sorted IP list of infected servers using:
  cat /var/log/httpd/access_log |grep 'c+dir' | cut -f 2 -d " " | sort

How do you eliminate the duplicate entries?

At 01:48 PM 09/18/2001 -0400, Dan York wrote:

>Darrell,
>
>> Dan, I took my codered.php checker and did a quick update to look for 
>> this as well.  New file is named apache-hits.php and may be downloaded 
>> from:
>
>Cool. Thanks for doing that.
>
>> I've got 2938 total hits in my current log :(
>
>Actually, you may have even more.  Someone just pointed out to me that 
>I should also search for 'root.exe':
>
>  # date
>  Tue Sep 18 13:46:46 EDT 2001
>  # grep cmd.exe /var/log/httpd/access_log* | grep 18/Sep | wc
>     2834   36842  516064
>  # grep root.exe /var/log/httpd/access_log* | grep 18/Sep | wc
>      425    5525   64678
>
>Apparently the worm uses several different attacks.
>
>Dan
>
>-- 
>Dan York, Director of Training        [EMAIL PROTECTED]
>Ph: +1-613-751-4401 Cell: +1-613-263-4312 Fax: +1-613-564-7739 
>Mitel Network Corporation Network Server Solutions Group 
>150 Metcalfe St., Suite 1500, Ottawa,ON K2P 1P1 Canada
>http://www.e-smith.com/            http://www.mitel.com/           
>
>--
>Please report bugs to [EMAIL PROTECTED]
>Please mail [EMAIL PROTECTED] (only) to discuss security issues
>Support for registered customers and partners to [EMAIL PROTECTED]
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]
>Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
>
>
>
>
>---
>Incoming mail is certified Virus Free.
>Checked by AVG anti-virus system (http://www.grisoft.com).
>Version: 6.0.280 / Virus Database: 147 - Release Date: 09/11/2001


--
Please report bugs to [EMAIL PROTECTED]
Please mail [EMAIL PROTECTED] (only) to discuss security issues
Support for registered customers and partners to [EMAIL PROTECTED]
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org

Reply via email to