On Thu, 19 Jul 2001, shimi wrote: > > On Thu, 19 Jul 2001, Admin @ Adopt A Band.com wrote: > > > I have noticed today an explosion of hacking attempts on the http logs, the > > attackers (many different source IPs) > > are sending this string: > > > > GET > > /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > > NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% > > u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a > > > > to which our RAQ4 answers (luckily) with a 400 not found ... > > But I guess that today there must have been some explot announced. Anybody > > knows anything about it? Reasons to be concerned? > > And, what would an .ida file be? > > > > Alessandro Bologna > > That's a Micro$oft IIS remote SYSTEM bug, found by www.eEye.com. Nothing > to worry about on Linux based machines. > > - shimi. > MORE This is probably the "Code-Red" worm that will act on 20/7/2001, trying to do a Denial of Services attack on www.whitehouse.gov. This worm tries to infect many people as possible, and has a permenant seed for the IP addresses randomization. So expect MORE traffic like that, and also expect it to come from WEBSERVERS. It infects only Microsoft webservers who were not patched against the .ida vulnerability that was found last month in eEye.com. eEYe.com also analyzer the mentioned "Code-Red" worm and it's effects. Their current estimation is that very soon, 300,000 machines (or more) will start sending out 410MB of information each, at interval of 4.5 hours, all directed to port 80 of www.whitehouse.gov. My simple calculation gives that the website of whitehouse.gov will be dealing with a permenant attack of 27.3333 TERABYTES of data every hour, what will possibly make the provider go down, if not some backbones, as that worm keeps spreading. You can read all about that in eeye.com. - shimi. _______________________________________________ cobalt-developers mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-developers
