[Dshield] Watch the fakeworms !

Mark Lastdrager mark at pine.nl
Tue Aug 7 17:36:34 GMT 2001


At Tue, 7 Aug 2001, dshield-admin at dshield.org wrote:

>Patrick,
>
>First the requests are not "fake", but rather the latest off shoot of
>the original Code Red worm.  This one, some have dubbed Code Red II,
>leaves an available backdoor into your IIS system that can be exploited
>at any time.  If you are running an IIS server and patched it for the
>original Code Red worm then you are safe from infection.  If you never
>installed the IIS patch from Microsoft then you should do that as it
>blocks both the original and this new strain that started broadcasting
>this past weekend.


They are fake, codered V2 doesn't send a browser version in it's request..


>
>Wayne
>
>
>>>> patrick at pine.nl 08/07/01 02:34:47 >>>
>Hi,
>
>I keep getting 'fake' worm requests. What could be the use of these,
>except being sad?
>
>128.218.8.173 - - [ 7/Aug/2001:09:27:59 +0200] "GET
>http://213.156.3.18/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>HTTP/1.1" - - "-" "Mozilla/4.0 (compatible; MSIE.4.01; Windows NT)"
>
>24.132.72.194 - - [ 7/Aug/2001:09:29:28 +0200] "GET
>http://www.pine.nl/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>HTTP/1.1" - - "-" "Mozilla/4.0 (compatible;MSIE 5.5; Windows NT 5.0)"
>
>	Patrick
>
>
>

Mark Lastdrager

--
Pine Internet BV ::  tel. +31-70-3111010 ::  fax. +31-70-3111011
PGP 92BB81D1 fingerprint 0059 7D7B C02B 38D2 A853 2785 8C87 3AF1
Today's excuse: runaway cat on system.




More information about the list mailing list