[Dshield] Watch the fakeworms !
wayne.brummet at intervoice-brite.com
Tue Aug 7 13:34:15 GMT 2001
First the requests are not "fake", but rather the latest off shoot of the original Code Red worm. This one, some have dubbed Code Red II, leaves an available backdoor into your IIS system that can be exploited at any time. If you are running an IIS server and patched it for the original Code Red worm then you are safe from infection. If you never installed the IIS patch from Microsoft then you should do that as it blocks both the original and this new strain that started broadcasting this past weekend.
>>> patrick at pine.nl 08/07/01 02:34:47 >>>
I keep getting 'fake' worm requests. What could be the use of these,
except being sad?
22.214.171.124 - - [ 7/Aug/2001:09:27:59 +0200] "GET http://126.96.36.199/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX HTTP/1.1" - - "-" "Mozilla/4.0 (compatible; MSIE.4.01; Windows NT)"
188.8.131.52 - - [ 7/Aug/2001:09:29:28 +0200] "GET http://www.pine.nl/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX HTTP/1.1" - - "-" "Mozilla/4.0 (compatible;MSIE 5.5; Windows NT 5.0)"
Patrick Oonk - PO1-6BONE - E: patrick at pine.nl - www.pine.nl/~patrick
Pine Internet - PAT31337-RIPE - Hushmail: p.oonk at my.security.nl
T: +31-70-3111010 - F: +31-70-3111011 - http://security.nl
PGPID 155C3934 fp DD29 1787 8F49 51B8 4FDF 2F64 A65C 42AE 155C 3934
Excuse of the day: Boss' kid fucked up the machine
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see: http://www1.dshield.org/mailman/listinfo/dshield
More information about the list