Hey all,
Sorry bout the spam (and sorry if you already know about this) but I figured you folks
might want to know to watch out for a new Code Red-esque worm that's running
rampant...below is from SlashDot.
http://slashdot.org/articles/01/09/18/151203.shtml
-- MB
**************
New (More) Annoying Microsoft Worm Hits Net
Posted by CmdrTaco on Tuesday September 18, @10:10AM
from the what-a-pain-in-the-arse dept.
A new worm
seems to be running rampant Unlike Code Red, it attempts to hit boxes with many different
exploits (including what looks like an attempt to exploit boxes still rooted by Code Red).
It looks like each IP tries 16 attempts on its neighbors. There is also a new mail worm
mailing WAV files or something with bits of what appears to be the registry... it may or
may not be related. Got any words on this? Shut down those windows boxes and stop opening
attachments. And make that 21. Got another one while writing this story. All my hits are
coming from 208.n.n.n (where I am) I'm sure it'll keep moving to nearby boxes.
Here are examples of the requests it's sending:
GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../
..%c1%1c../winnt/system32/cmd.exe?/c+dir
GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
While writing this story I was hit a total of 4 times, 16 GET attempts per attack. In only
4 minutes. Also of interest, My desktop has now been hit about 500 times today, all from
208.x.x.x IPs. This might be really bad. I still haven't read anything about this
anywhere else, so you heard it here first ;)
Update: Web servers compromised by this worm apparently attach a "readme.eml" to
all web pages served... and due to a bug in IE5, it will automatically execute the file!
Yay Internet Explorer!