[Dshield] Watch the fakeworms !

Greg Broiles gbroiles at well.com
Tue Aug 7 16:40:16 GMT 2001


At 08:34 AM 8/7/2001 -0500, Wayne Brummet wrote:

>First the requests are not "fake", but rather the latest off shoot of the 
>original Code Red worm.

Hmm - if you look at the browser-ID field in the requests concerned, it 
says "MSIE 4.01" or "MSIE 5.5" - the CR II hits that I've been seeing don't 
have a browser ID - so I bet that's why Patrick thinks these are "fake" 
hits, since they're either from a browser, or from software that's 
pretending to be a browser.

The only explanations I can think of are (a) curious people, who wonder 
what happens when they try the exploit using their browsers, or (b) there's 
an infected machine behind a proxy which is masquerading as a browser. I 
think (a) is more plausible, though it seems unlikely that they'd pick on 
random machines - unless Patrick runs a popular system, which might expect 
to be the target of exploration.

 >>> patrick at pine.nl 08/07/01 02:34:47 >>>
>Hi,
>
>I keep getting 'fake' worm requests. What could be the use of these,
>except being sad?
>
>128.218.8.173 - - [ 7/Aug/2001:09:27:59 +0200] "GET 
>http://213.156.3.18/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 
>HTTP/1.1" - - "-" "Mozilla/4.0 (compatible; MSIE.4.01; Windows NT)"
>
>24.132.72.194 - - [ 7/Aug/2001:09:29:28 +0200] "GET 
>http://www.pine.nl/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 
>HTTP/1.1" - - "-" "Mozilla/4.0 (compatible;MSIE 5.5; Windows NT 5.0)"

--
Greg Broiles
gbroiles at well.com
"We have found and closed the thing you watch us with." -- New Delhi street kids




More information about the list mailing list