Re: new ADMscript worm ?

[Edvard Tuinder <secu () lunytune nl>]

According to G.Mansur:
> [Tue Nov  4 01:49:11 2003] [error] [client xx.xx.xx.xx] File does not exist:
> /var/www/htdocs/ ADMscript.23 initialized  2
>
> One of them is running:
> Apache/1.3.20 Sun Cobalt (Unix) Chili!Soft-ASP/3.6.2 mod_ssl/2.8.4
>             OpenSSL/0.9.6b PHP/4.0.6 mod_auth_pam_external/0.1
> FrontPage/4.0.4.3 mod_perl/1.25 on Linux
>
> Anonther one is running: 
>
> Apache/1.3.6 (Unix)
> Running: Linux 2.1.X|2.2.X
> OS details: Linux 2.1.19 - 2.2.25
>
> We have seen allot of these across servers in Europe..

We haven't come across any of those ADMscript thingies. Is that particular
client trying anything more, or does it just try to access this ADMscript?
Once, or variations on the parameter?

If the above quote from the error_log is exact, it seems a very sloppy
attempt, considering the space.

-Ed

---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------