[Dshield] Watch the fakeworms !

Evans, TJ tjevans at kpmg.com
Tue Aug 7 17:33:01 GMT 2001


Also worth keeping in mind, due to the nature of the changes CR2 makes a
simple "Patch & Reboot" is not sufficient to purge an infected machine.
<If your machine was not infected, a patch is sufficient>.
http://www.incidents.org/react/code_red.php 
http://www.incidents.org/react/code_redII.php



Thanks!
TJ

 -----Original Message-----
From: 	Wayne Brummet [mailto:wayne.brummet at intervoice-brite.com] 
Sent:	Tuesday, August 07, 2001 9:34 
To:	dshield at dshield.org
Subject:	Re: [Dshield] Watch the fakeworms !

Patrick,

First the requests are not "fake", but rather the latest off shoot of the
original Code Red worm.  This one, some have dubbed Code Red II, leaves an
available backdoor into your IIS system that can be exploited at any time.
If you are running an IIS server and patched it for the original Code Red
worm then you are safe from infection.  If you never installed the IIS patch
from Microsoft then you should do that as it blocks both  the original and
this new strain that started broadcasting this past weekend.


Wayne


>>> patrick at pine.nl 08/07/01 02:34:47 >>>
Hi,

I keep getting 'fake' worm requests. What could be the use of these,
except being sad?

128.218.8.173 - - [ 7/Aug/2001:09:27:59 +0200] "GET
http://213.156.3.18/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX HTTP/1.1" - - "-"
"Mozilla/4.0 (compatible; MSIE.4.01; Windows NT)"

24.132.72.194 - - [ 7/Aug/2001:09:29:28 +0200] "GET
http://www.pine.nl/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX HTTP/1.1" - - "-"
"Mozilla/4.0 (compatible;MSIE 5.5; Windows NT 5.0)"

	Patrick


-- 
 Patrick Oonk - PO1-6BONE - E: patrick at pine.nl - www.pine.nl/~patrick 
 Pine Internet  -  PAT31337-RIPE  -   Hushmail: p.oonk at my.security.nl 
 T: +31-70-3111010  -   F: +31-70-3111011   -  http://security.nl 
 PGPID 155C3934 fp DD29 1787 8F49 51B8 4FDF  2F64 A65C 42AE 155C 3934
 Excuse of the day: Boss' kid fucked up the machine

_______________________________________________
Dshield mailing list
Dshield at dshield.org 
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield


*****************************************************************************
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter.         
*****************************************************************************




More information about the list mailing list