Nick Tonkin wrote:
>
> Sorry for the off-topic post; there was a lot of discussion here of
> CodeRed and Reuven's module to report attempted attacks.
>
> Since this a.m. I have had hundreds of requests like:
>
> /scripts/root.exe?/c+dir
> /MSADC/root.exe?/c+dir
> /c/winnt/system32/cmd.exe?/c+dir
> /d/winnt/system32/cmd.exe?/c+dir
> /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
> /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
> /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
>
> etc.
>
> They seem to come in batches of a dozen or more with slight variations in
> the URI requested. I am thinking about adding support to CodeRed.pm (which
> should probably be renamed if so) to report these attacks via e-mail in
> the same way it does for CodeRed. Any interest in that? Or any info on
> these bogus requests?
Interesting... I'm getting many requests for those in my servers' logs
as well. Upon a little research, this appears to be TROJ_BLUECODE.A.
Basically its a worm looking for the "Web Server Folder Traversal"
Vulnerability in IIS.
Microsoft says the patch has been around for a while, but I wonder if it
is actually in the service packs available from Windows Update. The worm
really seems to be moving around... we're getting thousands of requests.
The REMOTE_HOST entries are interesting as well... nameservers...
domains with the word 'secure' in them... nice.
http://merilus.com/cgi-bin/advisory/advisory.cgi?advisory_id=324
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms00-078.asp
--
Regards,
Wim Kerkhoff, Software Engineer
Merilus, Inc. -|- http://www.merilus.com
Email: [EMAIL PROTECTED]
