Title: RE: something new afoot, sweeping scans:
I'm
getting the same thing . I've had to shut one of our severs down from all
this crap.
-Original Message-From: Dean Michael Dorman
[mailto:[EMAIL PROTECTED]]Sent: 18 September 2001
07:24To: [EMAIL PROTECTED]Subject: RE
Folks,
Someone mentioned seeing similiar signatures in their logs earlier today
to the signatures we are seeing in dramtic rapidity in a short time span.
Are other sites seeing similiar signatures quick greps attached and
posted below Has a new toy been unleshed, or is this an old toy we have
DuFresne [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, September 18, 2001 10:50 AM
Subject: something new afoot, sweeping scans:
Folks,
Someone mentioned seeing similiar signatures in their logs earlier today
to the signatures we are seeing in dramtic rapidity in a short time span
le Tue, Sep 18, 2001 at 10:50:40AM -0500, Ron DuFresne écrivit
Folks,
Someone mentioned seeing similiar signatures in their logs earlier today
to the signatures we are seeing in dramtic rapidity in a short time span.
Are other sites seeing similiar signatures quick greps attached and
I haven't been able to get a copy of the worm yet, but
it scans IIS machines for vulnerabilities able to run
cmd.exe?\dir+c, then if that works, sends an attempt
to run tftp back to itself and grab Admin.dll, then
run it.
Here are some logs:
Tue Sep 18 09:43:13 2001: 38.214.180.8 - x.x.1.29:
Title: RE: something new afoot, sweeping scans:
Seeing hits from this new worm, looks like it tries circa 30 URLs.
Logic looks similar to Code Red II/III, in that most hits are coming from similar class B and C networks.
Not sure of payload though as we're protected.
Regards,
Luke Butcher
On Tue, 18 Sep 2001, Luke Butcher wrote:
Seeing hits from this new worm, looks like it tries circa 30 URLs.
Logic looks similar to Code Red II/III, in that most hits are coming
from similar class B and C networks.
its a huge shitstorm here. shuttig us down all morning as our firewall
Hi folks,
Ron DuFresne wrote:
Folks,
Someone mentioned seeing similiar signatures in their logs earlier today
to the signatures we are seeing in dramtic rapidity in a short time span.
Are other sites seeing similiar signatures quick greps attached and
posted below Has a new toy been
has anyone seen a payload like this one?
I have been scanned by 59 seperate hosts and they all hit 76 diferent urls
unfortunately every 404 on the server triggers an email.
this is cut down from the 76 distinct
all the tftp calls were requesting admin.dll from the host that performed the
Title: RE: something new afoot, sweeping scans:
my Pix
is filtering out tons of SYN connections to port 80 from several subs domains on
209.x.x.x
This
part of it? I am assuming so.
...
Dean
everyone has
-Original Message-
From: Stu [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 10:49 AM
To: Jose Nazario
Cc: Luke Butcher; [EMAIL PROTECTED]
Subject: Re: something new afoot, sweeping scans:
has anyone seen a payload like this one?
I have been scanned by 59
Try this on for size - from another list. Looks like the culprit.
Lee
- Forwarded by Lee C Herbst/Marion County Property Appraiser on
09/18/01 01:31 PM -
Michael Balasko [EMAIL PROTECTED]
Sent by: Windows NT/2000 Discussion List [EMAIL PROTECTED]
09/18/01 12:11 PM
Please respond
On Tue, 18 Sep 2001, Josh Welch wrote:
Hi !
I doubt it new ... My servers are flooded with this since this afternoon
(about 15:30 GMT+1).
Could you send me the suspicious .exe ? I'd like to dismantle it ...
Bye
Bgs
___
Firewalls mailing list
Ron DuFresne wrote:
Folks,
Someone mentioned seeing similiar signatures in their logs earlier today
to the signatures we are seeing in dramtic rapidity in a short time span.
Are other sites seeing similiar signatures quick greps attached and
posted below Has a new toy been unleshed, or
: something new afoot, sweeping scans:
Hi folks,
Ron DuFresne wrote:
Folks,
Someone mentioned seeing similiar signatures in their logs earlier today
to the signatures we are seeing in dramtic rapidity in a short time span.
Are other sites seeing similiar signatures quick greps attached
]]On Behalf Of Jose Nazario
Sent: Tuesday, September 18, 2001 12:28 PM
To: Luke Butcher
Cc: [EMAIL PROTECTED]
Subject: RE: something new afoot, sweeping scans:
On Tue, 18 Sep 2001, Luke Butcher wrote:
Seeing hits from this new worm, looks like it tries circa 30 URLs.
Logic looks similar to Code Red II
16 matches
Mail list logo