[Dshield] Watch the fakeworms !

Mark Lastdrager mark at pine.nl
Tue Aug 7 17:36:34 GMT 2001

At Tue, 7 Aug 2001, dshield-admin at dshield.org wrote:

>First the requests are not "fake", but rather the latest off shoot of
>the original Code Red worm.  This one, some have dubbed Code Red II,
>leaves an available backdoor into your IIS system that can be exploited
>at any time.  If you are running an IIS server and patched it for the
>original Code Red worm then you are safe from infection.  If you never
>installed the IIS patch from Microsoft then you should do that as it
>blocks both the original and this new strain that started broadcasting
>this past weekend.

They are fake, codered V2 doesn't send a browser version in it's request..

>>>> patrick at pine.nl 08/07/01 02:34:47 >>>
>I keep getting 'fake' worm requests. What could be the use of these,
>except being sad?
> - - [ 7/Aug/2001:09:27:59 +0200] "GET
>HTTP/1.1" - - "-" "Mozilla/4.0 (compatible; MSIE.4.01; Windows NT)"
> - - [ 7/Aug/2001:09:29:28 +0200] "GET
>HTTP/1.1" - - "-" "Mozilla/4.0 (compatible;MSIE 5.5; Windows NT 5.0)"
>	Patrick

Mark Lastdrager

Pine Internet BV ::  tel. +31-70-3111010 ::  fax. +31-70-3111011
PGP 92BB81D1 fingerprint 0059 7D7B C02B 38D2 A853 2785 8C87 3AF1
Today's excuse: runaway cat on system.

More information about the list mailing list