This is the "Red Worm" virus as it has been dubbed. One of our clients
got hit and hacked by it. It only effects IIS running in the US.
Once it takes effect, the home page returned to the clients states:
http://www.worm.com
Hacked by Chinese
All in red letters. The code you see exploits a idb dll buffer overflow
bug in IIS that was patched a little while ago. Many people didn't
update this. The worm was deployed on July, Friday 13th. What I thought
was most interesting about this "bug/virus" was how it worked. It shuts
itself off after 10 hours. The virus never really resides on your
computer, only in memory. If the computer is restarted, it is
automatically removed. I also managed to read a few articles about the
whole China vs. US hackers hacking each other.
anyway, go to groups.google.com and search "Hacked by Chinese" with thoe
quotation marks. You'll get a few articles on it.
-Akshay
happy that i use linux :)
Erik Arneson wrote:
>
> On 19 July 2001, Neil Gunton <[EMAIL PROTECTED]> wrote:
> > This isn't related to Embperl really, but I thought it might be
> > interesting, since it looks a lot like some kind of hacking attempt... I
> > am getting a lot of entries in my apache server log that look like this:
> >
> > 65.5.173.103 - - [19/Jul/2001:17:08:52 -0400] "GET
> >
>/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
> > HTTP/1.0" 400 328
> >
> > The requests are coming in maybe every half hour or so, each time from
> > different IP's. There has never been a file of this name on my server...
> > it looks like some kind of buffer overrun attempt, doesn't it? Could the
> > codes at the end be the buffer overrun exploit?
>
> Yep, I'm getting hit with a bunch of these, too. Eleven of them so far
> today.
>
> Could it be some kind of attack on IIS servers, perhaps? I don't
> recognize the .ida extention.
>
> --
> # Erik Arneson <[EMAIL PROTECTED]> Web Engineer #
> # Mobile: 541.840.3100 GPG Key ID: 1024D/0A2C3C5E #
> # Office: 541.774.5391 <http://www.musiciansfriend.com/> #
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
--
http://www.5vs1.com - A Pearl Jam Fan Site
"Only when the last tree is dead, the last river damned, and the last
field paved, will we realize that we can't eat money."
"Time is long and life is short, so begin to live while you still can."
-Eddie Vedder
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
