Re: new codered worm?

[Ryan Russell <ryan () securityfocus com>]

On Thu, 30 Aug 2001, ^^ sang sang wrote:

> 1.    traced for ip address

What do you mean by this?  You did a tracerouter to the attacker, or
you're seeing something else?

<snip>

> 2001-08-27 01:41:39 210.92.26.120 &#8211; X.X.X.X GET /scripts/root.exe
> /c+dir+c:\ 404 -
> 2001-08-27 01:41:39 210.92.26.120 &#8211; X.X.X>.X 80 GET
> /c/winnt/system32/cmd.exe /c+dir+c:\ 404 -
> 2001-08-27 01:41:39 210.92.26.120 &#8211; X.X.X.X 80 GET
> /d/winnt/system32/cmd.exe /c+dir+c:\ 404 -
> 2001-08-27 01:41:39 210.92.26.120 &#8211; X.X.X.X 80 GET /msadc/root.exe
> /c+dir+c:\ 404 -
> 2001-08-27 01:41:39 210.92.26.120 &#8211; X.X.X.X 80 GET
> /c/inetpub/scripts/root.exe /c+dir+c:\ 404 -
> 2001-08-27 01:41:39 210.92.26.120 &#8211; X.X.X.X80 GET
> /d/inetpub/scripts/cmd.exe /c+dir+c:\ 404 -

There are lots of scrips that try these variations.  Some of these are
probably Unicode attempts.  Those have been going on forever.  The
root.exe ones are probably looking for CodeRed II infected boxes, or boxes
that were broken into previously.

> 2001-08-27 01:41:39 210.92.26.120 &#8211; X.X.X.X 80 GET /x.ida
> VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV=X
> 200 -

Note that this one isn't long enough to set of the overflow... but it will
check if you are vulnerable.  Well, assuming it was a valid request, it
would.  There should be a ? after the /x.ida, but you've got a space.

In any case, there's not quite enough information here to suggest a new
worm yet.

                                        Ryan


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com