[unisog] ida worm

Williams, Bob WilliamsRB at mail.vmi.edu
Thu Jul 19 21:37:02 GMT 2001


Russ,

Take a look at
http://www.microsoft.com/technet/security/bulletin/ms01-033.asp which
explains the fix for the "code red" worm that is presently attacking
unpatched IIS servers all over the world.  Your log most likely shows a code
red worm attack on the IIS server(s) servers at your site.

Also, this article about the worm was referenced in last evening's SANS
NewsBites:
http://www.crn.com/components/Nl/direct/article.asp?ArticleID=28301

Hope this helps,

Bob Williams
UNIX/Network Security Administrator
Virginia Military Institute
Information Technology
Lexington, VA 24450

williamsrb at vmi.edu

-----Original Message-----
From: Russ Harvey [mailto:russ at cornucopia.ucr.edu]
Sent: Thursday, July 19, 2001 3:06 PM
To: unisog at sans.org
Cc: systems at listproc.ucr.edu
Subject: [unisog] ida worm



http://www.eeye.com/html/Research/Advisories/AD20010618.html

We're getting hit with a ton of these, and the source IPs seem all over
the map:

Thu Jul 19 08:33:06    HTTP request from 207.46.239.116: GET
/default.ida?NN...
Thu Jul 19 08:53:17    HTTP request from 211.220.44.29: GET
/default.ida?NN...
Thu Jul 19 09:26:38    HTTP request from 63.237.136.164: GET
/default.ida?NN...
Thu Jul 19 09:33:14    HTTP request from 217.12.96.66: GET
/default.ida?NN...
Thu Jul 19 10:00:43    HTTP request from 210.218.214.10: GET
/default.ida?NN...
Thu Jul 19 10:05:05    HTTP request from 63.165.102.41: GET
/default.ida?NN...
Thu Jul 19 10:40:26    HTTP request from 66.1.160.222: GET
/default.ida?NN...
Thu Jul 19 10:51:14    HTTP request from 61.155.18.78: GET
/default.ida?NN...
Thu Jul 19 10:51:53    HTTP request from 211.173.199.28: GET
/default.ida?NN...
Thu Jul 19 11:01:18    HTTP request from 216.114.79.35: GET
/default.ida?NN...
Thu Jul 19 11:01:57    HTTP request from 209.113.64.211: GET
/default.ida?NN...

Anyone else getting barraged?

Thanks,
--russ

----------------------------------------------------------------------------
---
Russ Harvey                             Internet: russ-harvey at ucr.edu
Dept. of Computing and Communications       uucp: galaxy!russ
Univ. of Calif., Riverside, CA 92521-0142  phone: (909) 787-5617



More information about the unisog mailing list