[Dshield] Watch the fakeworms !

Wayne Brummet wayne.brummet at intervoice-brite.com
Tue Aug 7 13:34:15 GMT 2001


Patrick,

First the requests are not "fake", but rather the latest off shoot of the original Code Red worm.  This one, some have dubbed Code Red II, leaves an available backdoor into your IIS system that can be exploited at any time.  If you are running an IIS server and patched it for the original Code Red worm then you are safe from infection.  If you never installed the IIS patch from Microsoft then you should do that as it blocks both  the original and this new strain that started broadcasting this past weekend.

Wayne


>>> patrick at pine.nl 08/07/01 02:34:47 >>>
Hi,

I keep getting 'fake' worm requests. What could be the use of these,
except being sad?

128.218.8.173 - - [ 7/Aug/2001:09:27:59 +0200] "GET http://213.156.3.18/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX HTTP/1.1" - - "-" "Mozilla/4.0 (compatible; MSIE.4.01; Windows NT)"

24.132.72.194 - - [ 7/Aug/2001:09:29:28 +0200] "GET http://www.pine.nl/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX HTTP/1.1" - - "-" "Mozilla/4.0 (compatible;MSIE 5.5; Windows NT 5.0)"

	Patrick


-- 
 Patrick Oonk - PO1-6BONE - E: patrick at pine.nl - www.pine.nl/~patrick 
 Pine Internet  -  PAT31337-RIPE  -   Hushmail: p.oonk at my.security.nl 
 T: +31-70-3111010  -   F: +31-70-3111011   -  http://security.nl 
 PGPID 155C3934 fp DD29 1787 8F49 51B8 4FDF  2F64 A65C 42AE 155C 3934
 Excuse of the day: Boss' kid fucked up the machine

_______________________________________________
Dshield mailing list
Dshield at dshield.org 
To change your subscription options (or unsubscribe), see: http://www1.dshield.org/mailman/listinfo/dshield




More information about the list mailing list