Some of our clients are experiencing this too. We thinks it this: http://www.eeye.com/html/Research/Advisories/AD20010705.html http://securityresponse.symantec.com/avcenter/security/Content/2001_09_07.ht ml -----Original Message----- From: Cameron Childress [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 9:55 AM To: CF-Community Subject: Code Red III? Heads up. Pay attention to your servers today. I just started detecting a *ton* of these requests. I think it's a follow-up worm programmed to take advantage of the backdoors Code Red dropped on infected computers. Maybe a Code Red III? The following log items are from NukeNabber running on my local machine. Anyone else seen anything about this? I just noticed it. -Cameron -------------------- Cameron Childress elliptIQ Inc. p.770.460.1035.232 f.770.460.0963 -- http://www.neighborware.com America's Leading Community Network Software [09/18/2001 09:25:55.136 GMT-0400] Connection: dhcp181.onewebsystems.com (130.205.102.181) on port 80 (tcp). [09/18/2001 09:25:55.166 GMT-0400] GET /scripts/root.exe?/c+dir HTTP/1.0 Host: www Connnection: close [09/18/2001 09:25:55.176 GMT-0400] Port 80 (tcp) is now disabled for 60 seconds. [09/18/2001 09:26:55.182 GMT-0400] Port 80 (tcp) is re-enabled. [09/18/2001 09:34:39.600 GMT-0400] Connection: anhb.uwa.edu.au (130.95.96.22) on port 80 (tcp). [09/18/2001 09:34:39.630 GMT-0400] GET /scripts/root.exe?/c+dir HTTP/1.0 Host: www Connnection: close [09/18/2001 09:34:39.640 GMT-0400] Port 80 (tcp) is now disabled for 60 seconds. [09/18/2001 09:35:38.865 GMT-0400] Port 80 (tcp) is re-enabled. [09/18/2001 09:36:24.681 GMT-0400] Connection: OWSAFCE (130.205.102.205) on port 80 (tcp). [09/18/2001 09:36:24.711 GMT-0400] GET /scripts/root.exe?/c+dir HTTP/1.0 Host: www Connnection: close [09/18/2001 09:36:24.721 GMT-0400] Port 80 (tcp) is now disabled for 60 seconds. [09/18/2001 09:37:24.016 GMT-0400] Port 80 (tcp) is re-enabled. [09/18/2001 09:39:18.100 GMT-0400] Connection: OWSJPA (130.205.102.192) on port 80 (tcp). [09/18/2001 09:39:18.130 GMT-0400] GET /scripts/root.exe?/c+dir HTTP/1.0 Host: www Connnection: close [09/18/2001 09:39:18.140 GMT-0400] Port 80 (tcp) is now disabled for 60 seconds. [09/18/2001 09:40:17.265 GMT-0400] Port 80 (tcp) is re-enabled. [09/18/2001 09:40:44.965 GMT-0400] Connection: dhcp181.onewebsystems.com (130.205.102.181) on port 80 (tcp). [09/18/2001 09:40:44.995 GMT-0400] GET /scripts/root.exe?/c+dir HTTP/1.0 Host: www Connnection: close [09/18/2001 09:40:45.005 GMT-0400] Port 80 (tcp) is now disabled for 60 seconds. [09/18/2001 09:41:44.391 GMT-0400] Port 80 (tcp) is re-enabled. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
