RE: something new afoot, sweeping scans:

2001-09-19 Thread Johnston Mark
Title: RE: something new afoot, sweeping scans: I'm getting the same thing . I've had to shut one of our severs down from all this crap. -Original Message-From: Dean Michael Dorman [mailto:[EMAIL PROTECTED]]Sent: 18 September 2001 07:24To: [EMAIL PROTECTED]Subject: RE

something new afoot, sweeping scans:

2001-09-18 Thread Ron DuFresne
Folks, Someone mentioned seeing similiar signatures in their logs earlier today to the signatures we are seeing in dramtic rapidity in a short time span. Are other sites seeing similiar signatures quick greps attached and posted below Has a new toy been unleshed, or is this an old toy we have

Re: something new afoot, sweeping scans:

2001-09-18 Thread Josh Welch
DuFresne [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, September 18, 2001 10:50 AM Subject: something new afoot, sweeping scans: Folks, Someone mentioned seeing similiar signatures in their logs earlier today to the signatures we are seeing in dramtic rapidity in a short time span

Re: something new afoot, sweeping scans:

2001-09-18 Thread gilles
le Tue, Sep 18, 2001 at 10:50:40AM -0500, Ron DuFresne écrivit Folks, Someone mentioned seeing similiar signatures in their logs earlier today to the signatures we are seeing in dramtic rapidity in a short time span. Are other sites seeing similiar signatures quick greps attached and

Re: something new afoot, sweeping scans:

2001-09-18 Thread Jim Hutchins
I haven't been able to get a copy of the worm yet, but it scans IIS machines for vulnerabilities able to run cmd.exe?\dir+c, then if that works, sends an attempt to run tftp back to itself and grab Admin.dll, then run it. Here are some logs: Tue Sep 18 09:43:13 2001: 38.214.180.8 - x.x.1.29:

RE: something new afoot, sweeping scans:

2001-09-18 Thread Luke Butcher
Title: RE: something new afoot, sweeping scans: Seeing hits from this new worm, looks like it tries circa 30 URLs. Logic looks similar to Code Red II/III, in that most hits are coming from similar class B and C networks. Not sure of payload though as we're protected. Regards, Luke Butcher

RE: something new afoot, sweeping scans:

2001-09-18 Thread Jose Nazario
On Tue, 18 Sep 2001, Luke Butcher wrote: Seeing hits from this new worm, looks like it tries circa 30 URLs. Logic looks similar to Code Red II/III, in that most hits are coming from similar class B and C networks. its a huge shitstorm here. shuttig us down all morning as our firewall

Re: something new afoot, sweeping scans:

2001-09-18 Thread Frank Neumann
Hi folks, Ron DuFresne wrote: Folks, Someone mentioned seeing similiar signatures in their logs earlier today to the signatures we are seeing in dramtic rapidity in a short time span. Are other sites seeing similiar signatures quick greps attached and posted below Has a new toy been

Re: something new afoot, sweeping scans:

2001-09-18 Thread Stu
has anyone seen a payload like this one? I have been scanned by 59 seperate hosts and they all hit 76 diferent urls unfortunately every 404 on the server triggers an email. this is cut down from the 76 distinct all the tftp calls were requesting admin.dll from the host that performed the

RE: something new afoot, sweeping scans:

2001-09-18 Thread Dean Michael Dorman
Title: RE: something new afoot, sweeping scans: my Pix is filtering out tons of SYN connections to port 80 from several subs domains on 209.x.x.x This part of it? I am assuming so. ... Dean

RE: something new afoot, sweeping scans:

2001-09-18 Thread Derek Johnson
everyone has -Original Message- From: Stu [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 10:49 AM To: Jose Nazario Cc: Luke Butcher; [EMAIL PROTECTED] Subject: Re: something new afoot, sweeping scans: has anyone seen a payload like this one? I have been scanned by 59

RE: something new afoot, sweeping scans:

2001-09-18 Thread lherbst
Try this on for size - from another list. Looks like the culprit. Lee - Forwarded by Lee C Herbst/Marion County Property Appraiser on 09/18/01 01:31 PM - Michael Balasko [EMAIL PROTECTED] Sent by: Windows NT/2000 Discussion List [EMAIL PROTECTED] 09/18/01 12:11 PM Please respond

Re: something new afoot, sweeping scans:

2001-09-18 Thread Bgs himself
On Tue, 18 Sep 2001, Josh Welch wrote: Hi ! I doubt it new ... My servers are flooded with this since this afternoon (about 15:30 GMT+1). Could you send me the suspicious .exe ? I'd like to dismantle it ... Bye Bgs ___ Firewalls mailing list

Re: something new afoot, sweeping scans:

2001-09-18 Thread Patrick Benson
Ron DuFresne wrote: Folks, Someone mentioned seeing similiar signatures in their logs earlier today to the signatures we are seeing in dramtic rapidity in a short time span. Are other sites seeing similiar signatures quick greps attached and posted below Has a new toy been unleshed, or

RE: something new afoot, sweeping scans:

2001-09-18 Thread Paul Wentland
: something new afoot, sweeping scans: Hi folks, Ron DuFresne wrote: Folks, Someone mentioned seeing similiar signatures in their logs earlier today to the signatures we are seeing in dramtic rapidity in a short time span. Are other sites seeing similiar signatures quick greps attached

RE: something new afoot, sweeping scans:

2001-09-18 Thread C. Russell Goulding
]]On Behalf Of Jose Nazario Sent: Tuesday, September 18, 2001 12:28 PM To: Luke Butcher Cc: [EMAIL PROTECTED] Subject: RE: something new afoot, sweeping scans: On Tue, 18 Sep 2001, Luke Butcher wrote: Seeing hits from this new worm, looks like it tries circa 30 URLs. Logic looks similar to Code Red II