;
Sent: Wednesday, September 19, 2001 12:15 AM
Subject: Re: [e-smith-devinfo] FYI - new worm appears to be hitting
Microsoft IIS servers
> It looks more like a hack attack
>
> It is not a worm, but just someone trying to use the unicode hack!
> At my work we have been hacked by people
uot; <[EMAIL PROTECTED]>
Sent: Tuesday, September 18, 2001 7:57 PM
Subject: Re: [e-smith-devinfo] FYI - new worm appears to be hitting
Microsoft IIS servers
>
> Dan York <[EMAIL PROTECTED]> said:
>
> > Actually, you may have even more. Someone just pointed out to me t
then
echo $host >>/var/tmp/blocked
/sbin/ipchains -I input -s $host -j DENY -l
fi
done
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On
Behalf Of Darrell May
Sent: Wednesday, September 19, 2001 12:02 PM
To: E-smith developers list
Subject: Re: [e-smith-devinfo]
Apache Worm Hits checker updated and available for download. This update
counts totals and has links to detailed virus information (click the
virus name).
http://myezserver.com/downloads/mitel/apache-hits.zip
--
Darrell May
DMC NETSOURCED.COM
http://netsourced.com
http://myEZserver.com
-
Roger,
> I refined the script that was posted earlier. It now reports CODE RED, NIMDA
> and all the other hits on the server on the external interface.
Very nice... I put it on my home SME Server and it works well. I had
to make one modification, though:
>
> while : ; do
> cat /var/log/httpd
On Wed, 19 Sep 2001 22:22, Roger Wrethman wrote:
> I refined the script that was posted earlier. It now reports CODE RED,
> NIMDA and all the other hits on the server on the external interface.
I think there's a little bug hidden in there, actually... when counting
servers, you're cutting the wr
I refined the script that was posted earlier. It now reports CODE RED, NIMDA
and all the other hits on the server on the external interface.
while : ; do
cat /var/log/httpd/access_log* |grep -v '192.168.1.' | grep -v '127.0.0.1'
>tempfile4
cat tempfile4 |grep 'c+dir' >tempfile
cat tempfile
21:33:12 - I've now been hit 4790 times now from 149 different servers.
I'm now running this rough little script which gives the above output.
It loops about every 10 minutes.
while : ; do
cat /var/log/httpd/access_log |grep 'c+dir' >tempfile
TIME=`date | cut -f 4 -d " "`
ATTACKS=`wc -l
On Wed, 19 Sep 2001 03:57, Darrell May wrote:
> > Actually, you may have even more. Someone just pointed out to me that
> > I should also search for 'root.exe':
> Arghh. Ok, updated for root.exe as well
FYI Darrell, this thing now has a name... see
http://www.zdnet.com.au/newstech/securit
]
-
- Original Message -
From: "Mike Sensney" <[EMAIL PROTECTED]>
To: "E-smith developers list" <[EMAIL PROTECTED]>
Sent: Tuesday, September 18, 2001 9:41 PM
Subject: Re: [e-smith-devinfo] FYI - new worm appears to be hitting
Microsoft IIS serv
What about IE5.5 and IE6? Does anybody know if they are vulnerable yet?
My guess is probably so...
(Is this a plot by Netscape to get back user share? :)
At 02:22 PM 09/18/2001 -0400, Dan York wrote:
>FYI, incidents.org now has a page up about the worm:
>
> http://www.incidents.org/alert.php
The common character string for this worm is 'c_dir'
cat /var/log/httpd/access_log |grep 'cmd.exe' | wc -l
3132
cat /var/log/httpd/access_log |grep 'root.exe' | wc -l
683
cat /var/log/httpd/access_log |grep 'c+dir' | wc -l
3815
3132 + 683 = 3815
BTW, you can produce a sorted IP
Darrell May wrote:
> http://myezserver.com/downloads/mitel/apache-hits.zip
Very slick--now I can put a "code red free" message on my home page and
link it to the stats. Thanks! One question, though: why'd you put it
in a .zip file? A .tgz would be much more linux-friendly, if you
thou
FYI, incidents.org now has a page up about the worm:
http://www.incidents.org/alert.php
As Blake mentioned, there are reports of IE5 automatically executing this.
(Although it still sounds like a user has to open the attachment.)
Really-glad-not-to-be-using-IE,
Dan
--
Please report bugs to
Dan York <[EMAIL PROTECTED]> said:
> Actually, you may have even more. Someone just pointed out to me that
> I should also search for 'root.exe':
Arghh. Ok, updated for root.exe as well
CodeRed = 0
CodeRed II = 248
cmd.exe = 3179
root.exe = 477
http://myezserver.com/downloads/mitel/
oops! meant to send this to the list.
bh
Part of the problem is that if someone is using IE and goes to an infected box, it
will attach an .eml file to the webpage. IE will automatically open this as an
outlook express email which has a file attachment called Readme.exe. If this is
run, it
Darrell,
> Dan, I took my codered.php checker and did a quick update to look for
> this as well. New file is named apache-hits.php and may be downloaded
> from:
Cool. Thanks for doing that.
> I've got 2938 total hits in my current log :(
Actually, you may have even more. Someone just point
Dan York <[EMAIL PROTECTED]> said:
> FYI, this does not directly affect any of our (Apache) web servers,
> but it is additional traffic hitting all of us and slowing things
> down...
Dan, I took my codered.php checker and did a quick update to look for
this as well. New file is named apache-h
FYI, this does not directly affect any of our (Apache) web servers,
but it is additional traffic hitting all of us and slowing things down...
there appears to be a new Code Red-ish type of worm going around right
now hitting an old vulnerability in Microsoft IIS. If you look in
/var/log/httpd/acc
19 matches
Mail list logo
