[prev in list] [next in list] [prev in thread] [next in thread]
List: mysql-odbc
Subject: AW: New IIS Worm... Warning...
From: "whiskyworld.de" <webmaster () whiskyworld ! de>
Date: 2001-09-18 20:43:46
[Download RAW message or body]
Hi Lads,
i have no clue how this worm works, but since APACHE is secure i took a look
in my logs just a second ago.... look at this:
Greetings
Korbinian Bachl
www.whiskyworld.de
It loooks like the worm is trying to gain control by wentereing the /SCRIPT/
dir an sending some dots and a CMD order.... else i have no clue why the
heck sb. would send this shit out....
[Tue Sep 18 19:24:19 2001] [error] [client 217.77.1.124] File does not
exist:
/home/whiskyworld.de/apache/httpdocs/scripts/..Á^\../winnt/system32/cmd.exe
[Tue Sep 18 19:24:19 2001] [error] [client 217.77.1.124] File does not
exist:
/home/whiskyworld.de/apache/httpdocs/scripts/..À¯../winnt/system32/cmd.exe
[Tue Sep 18 19:24:19 2001] [error] [client 217.77.1.124] File does not
exist:
/home/whiskyworld.de/apache/httpdocs/scripts/..Á~\../winnt/system32/cmd.exe
[Tue Sep 18 19:24:19 2001] [error] [client 217.77.1.124] File does not
exist:
/home/whiskyworld.de/apache/httpdocs/scripts/..%5c../winnt/system32/cmd.exe
[Tue Sep 18 19:24:20 2001] [error] [client 217.77.1.124] File does not
exist:
/home/whiskyworld.de/apache/httpdocs/scripts/..%2f../winnt/system32/cmd.exe
[Tue Sep 18 19:28:38 2001] [error] [client 217.228.234.165] File does not
exist: /home/whiskyworld.de/apache/httpdocs/pic/main_frau.jpg
[Tue Sep 18 19:40:53 2001] [error] [client 217.224.163.179] File does not
exist: /home/whiskyworld.de/apache/httpdocs/pic/main_frau.jpg
[Tue Sep 18 20:52:19 2001] [error] [client 217.126.21.178] File does not
exist: /home/whiskyworld.de/apache/httpdocs/default.ida
[Tue Sep 18 21:36:51 2001] [error] [client 217.29.194.208] File does not
exist: /home/whiskyworld.de/apache/httpdocs/scripts/root.exe
[Tue Sep 18 21:36:52 2001] [error] [client 217.29.194.208] File does not
exist: /home/whiskyworld.de/apache/httpdocs/MSADC/root.exe
[Tue Sep 18 21:36:52 2001] [error] [client 217.29.194.208] File does not
exist: /home/whiskyworld.de/apache/httpdocs/c/winnt/system32/cmd.exe
[Tue Sep 18 21:36:55 2001] [error] [client 217.29.194.208] File does not
exist: /home/whiskyworld.de/apache/httpdocs/d/winnt/system32/cmd.exe
[Tue Sep 18 21:36:59 2001] [error] [client 217.29.194.208] File does not
exist:
/home/whiskyworld.de/apache/httpdocs/scripts/..%5c../winnt/system32/cmd.exe
[Tue Sep 18 21:36:59 2001] [error] [client 217.29.194.208] File does not
exist:
/home/whiskyworld.de/apache/httpdocs/_vti_bin/..%5c../..%5c../..%5c../winnt/
system32/cmd.exe
[Tue Sep 18 21:36:59 2001] [error] [client 217.29.194.208] File does not
exist:
/home/whiskyworld.de/apache/httpdocs/_mem_bin/..%5c../..%5c../..%5c../winnt/
system32/cmd.exe
[Tue Sep 18 21:37:03 2001] [error] [client 217.29.194.208] File does not
exist:
/home/whiskyworld.de/apache/httpdocs/msadc/..%5c../..%5c../..%5c/..Á^\../..Á
^\../..Á^\../winnt/system32/cmd.exe
[Tue Sep 18 21:37:03 2001] [error] [client 217.29.194.208] File does not
exist:
/home/whiskyworld.de/apache/httpdocs/scripts/..Á^\../winnt/system32/cmd.exe
[Tue Sep 18 21:37:06 2001] [error] [client 217.29.194.208] File does not
exist:
/home/whiskyworld.de/apache/httpdocs/scripts/..À¯../winnt/system32/cmd.exe
[Tue Sep 18 21:37:07 2001] [error] [client 217.29.194.208] File does not
exist:
/home/whiskyworld.de/apache/httpdocs/scripts/..Á~\../winnt/system32/cmd.exe
[Tue Sep 18 21:37:07 2001] [error] [client 217.29.194.208] File does not
exist:
/home/whiskyworld.de/apache/httpdocs/scripts/..%5c../winnt/system32/cmd.exe
[Tue Sep 18 21:37:07 2001] [error] [client 217.29.194.208] File does not
exist:
/home/whiskyworld.de/apache/httpdocs/scripts/..%2f../winnt/system32/cmd.exe
[Tue Sep 18 21:44:26 2001] [error] [client 217.128.146.81] File does not
exist: /home/whiskyworld.de/apache/httpdocs/default.ida
[Tue Sep 18 22:08:20 2001] [error] [client 217.19.34.135] File does not
exist: /home/whiskyworld.de/apache/httpdocs/scripts/root.exe
[Tue Sep 18 22:08:20 2001] [error] [client 217.19.34.135] File does not
exist: /home/whiskyworld.de/apache/httpdocs/MSADC/root.exe
[Tue Sep 18 22:08:20 2001] [error] [client 217.19.34.135] File does not
exist: /home/whiskyworld.de/apache/httpdocs/c/winnt/system32/cmd.exe
[Tue Sep 18 22:08:21 2001] [error] [client 217.19.34.135] File does not
exist: /home/whiskyworld.de/apache/httpdocs/d/winnt/system32/cmd.exe
[Tue Sep 18 22:08:21 2001] [error] [client 217.19.34.135] File does not
exist:
/home/whiskyworld.de/apache/httpdocs/scripts/..%5c../winnt/system32/cmd.exe
[Tue Sep 18 22:08:21 2001] [error] [client 217.19.34.135] File does not
exist:
/home/whiskyworld.de/apache/httpdocs/_vti_bin/..%5c../..%5c../..%5c../winnt/
system32/cmd.exe
[Tue Sep 18 22:08:21 2001] [error] [client 217.19.34.135] File does not
exist:
/home/whiskyworld.de/apache/httpdocs/_mem_bin/..%5c../..%5c../..%5c../winnt/
system32/cmd.exe
[Tue Sep 18 22:08:21 2001] [error] [client 217.19.34.135] File does not
exist:
/home/whiskyworld.de/apache/httpdocs/msadc/..%5c../..%5c../..%5c/..Á^\../..Á
^\../..Á^\../winnt/system32/cmd.exe
[Tue Sep 18 22:08:21 2001] [error] [client 217.19.34.135] File does not
exist:
/home/whiskyworld.de/apache/httpdocs/scripts/..Á^\../winnt/system32/cmd.exe
[Tue Sep 18 22:08:21 2001] [error] [client 217.19.34.135] File does not
exist:
/home/whiskyworld.de/apache/httpdocs/scripts/..À¯../winnt/system32/cmd.exe
[Tue Sep 18 22:08:21 2001] [error] [client 217.19.34.135] File does not
exist:
/home/whiskyworld.de/apache/httpdocs/scripts/..Á~\../winnt/system32/cmd.exe
[Tue Sep 18 22:08:22 2001] [error] [client 217.19.34.135] File does not
exist:
/home/whiskyworld.de/apache/httpdocs/scripts/..%5c../winnt/system32/cmd.exe
[Tue Sep 18 22:08:22 2001] [error] [client 217.19.34.135] File does not
exist:
/home/whiskyworld.de/apache/httpdocs/scripts/..%2f../winnt/system32/cmd.exe
[Tue Sep 18 22:12:34 2001] [error] [client 217.8.138.215] File does not
exist: /home/whiskyworld.de/apache/httpdocs/default.ida
[Tue Sep 18 22:13:16 2001] [error] [client 217.87.222.26] File does not
exist: /home/whiskyworld.de/apache/httpdocs/scripts/root.exe
[Tue Sep 18 22:13:17 2001] [error] [client 217.87.222.26] File does not
exist: /home/whiskyworld.de/apache/httpdocs/MSADC/root.exe
[Tue Sep 18 22:13:17 2001] [error] [client 217.87.222.26] File does not
exist: /home/whiskyworld.de/apache/httpdocs/c/winnt/system32/cmd.exe
[Tue Sep 18 22:13:18 2001] [error] [client 217.87.222.26] File does not
exist: /home/whiskyworld.de/apache/httpdocs/d/winnt/system32/cmd.exe
[Tue Sep 18 22:13:19 2001] [error] [client 217.87.222.26] File does not
exist:
/home/whiskyworld.de/apache/httpdocs/scripts/..%5c../winnt/system32/cmd.exe
[Tue Sep 18 22:13:19 2001] [error] [client 217.87.222.26] File does not
exist:
/home/whiskyworld.de/apache/httpdocs/_vti_bin/..%5c../..%5c../..%5c../winnt/
system32/cmd.exe
[Tue Sep 18 22:13:20 2001] [error] [client 217.87.222.26] File does not
exist:
/home/whiskyworld.de/apache/httpdocs/_mem_bin/..%5c../..%5c../..%5c../winnt/
system32/cmd.exe
[Tue Sep 18 22:13:20 2001] [error] [client 217.87.222.26] File does not
exist:
/home/whiskyworld.de/apache/httpdocs/msadc/..%5c../..%5c../..%5c/..Á^\../..Á
^\../..Á^\../winnt/system32/cmd.exe
[Tue Sep 18 22:13:20 2001] [error] [client 217.87.222.26] File does not
exist:
/home/whiskyworld.de/apache/httpdocs/scripts/..Á^\../winnt/system32/cmd.exe
[Tue Sep 18 22:13:21 2001] [error] [client 217.87.222.26] File does not
exist:
/home/whiskyworld.de/apache/httpdocs/scripts/..À¯../winnt/system32/cmd.exe
[Tue Sep 18 22:13:21 2001] [error] [client 217.87.222.26] File does not
exist:
/home/whiskyworld.de/apache/httpdocs/scripts/..Á~\../winnt/system32/cmd.exe
[Tue Sep 18 22:13:26 2001] [error] [client 217.87.222.26] File does not
exist:
/home/whiskyworld.de/apache/httpdocs/scripts/..%5c../winnt/system32/cmd.exe
[Tue Sep 18 22:13:27 2001] [error] [client 217.87.222.26] File does not
exist:
/home/whiskyworld.de/apache/httpdocs/scripts/..%2f../winnt/system32/cmd.exe
|> -----Ursprüngliche Nachricht-----
|> Von: Peter [mailto:pwr@post4.tele.dk]
|> Gesendet: Dienstag, 18. September 2001 22:17
|> An: myodbc@lists.mysql.com; Michael Burke
|> Betreff: Re: New IIS Worm... Warning...
|>
|>
|> Hi,
|>
|> I can add, that the worm will add a piece of JavaScript code to
|> all HTML and
|> ASP webpages on the webserver, further it will spread a file called
|> "readme.eml" all over the webserver.
|>
|> The purpose is when webpages are loaded, the JavaScript will ask
|> visitors to
|> download the "readme.eml" file - and spread the worm the the
|> local computer
|> this way too. Do not download this file.
|>
|> The "readme.eml" file can be deleted without any problems from the
|> webserver, and by that not spread via download.
|>
|> The remaining recovery process for the webserver is still to be verifyed
|> completely, the webserver might be recovered for a "temporary
|> re-run" - but
|> this looks like a re-install.
|>
|> Further the worm also change GUEST_rights on the webserver.
|>
|> I advise to follow on newsgroup microsoft.public.inetserver.iis and also
|> visit www.symantec.com and www.centralcommand.com
|>
|>
|> Best regards
|> Peter
|>
|>
|> ----- Original Message -----
|> From: "Michael Burke" <mburke@cordovabay.com>
|> To: <myodbc@lists.mysql.com>
|> Sent: Tuesday, September 18, 2001 9:42 PM
|> Subject: New IIS Worm... Warning...
|>
|>
|> > Our web servers have been under attack since 5:00 PM PDT from a large
|> > number of sites that appear to have fallen prey to the new
|> W32.Nimda.A@mm
|> > worm. Like CODE RED and CODE BLUE, worm exploits shoddy
|> Microsoft code in
|> > its IIS (Internet Information Server) web server.
|> >
|> > While none of our web sites use this terrible piece of code, we are
|> > receiving probes looking for it at an incredible rate. At this
|> point our
|> > web traffic is up 700% since 5:00 AM. This is over and above
|> the ongoing
|> > probes associated with both CODE RED and CODE BLUE worms.
|> >
|> > There have been reports of Denial of Service attacks all over the
|> Internet.
|> >
|> > At a time when people are struggling with other attacks in the
|> real world,
|> > this cyber world attack is most shocking.
|> >
|> > The following comes directly from the Microsoft Advisory web site. I
|> > include it because unlike the previous major worms, this work can also
|> > travel through the use of email when the receiver is using Microsoft
|> > Outlook based products. The worm exploits Microsoft's
|> senseless inclusion
|> > of features and facilities in consumer code. In this case, it
|> allows email
|> > that contains MIME controls to automatically execute code
|> without the need
|> > to have an attachment opened. That means, just looking at the document
|> > executes the villain code.
|> >
|> > Experts are tracking a fast-spreading virus that propagates both by
|> sending
|> > itself as an email attachment, and by hacking into vulnerable
|> web servers.
|> >
|> > The W32.Nimda.A@mm worm infects IIS servers by exploiting the
|> 'MS IIS/PWS
|> > Escaped Characters Decoding Command Execution Vulnerability'
|> -- the same
|> > hole exploited by the recent Code Blue worm.
|> >
|> > The worm also attacks Microsoft Outlook users, arriving as an
|> apparently
|> > blank message with an attachment called 'readme.exe.' As with other
|> > viruses, opening the attachment will infect the machine.
|> >
|> > But unlike most so-called mass mailers, Nimda can also infect
|> Outlook and
|> > Outlook Express users who know better than to open strange
|> attachments. By
|> > exploiting a bug in Internet Explorer discovered last March,
|> the worm is
|> > able to infect victim computers when the email is read, or
|> even displayed
|> > in Outlook's preview pane.
|> >
|> > A patch for the 'Microsoft IE MIME Header Attachment Execution
|> > Vulnerability' is available from Microsoft's web site.
|> >
|> > Once it has infected a machine, Nimda exposes local hard drives to the
|> > network, and spreads further through already-open file shares.
|> >
|> > Cyber security mailing lists began buzzing with word of the
|> W32.Nimda.A@mm
|> > worm Tuesday morning, after network administrators noticed a massive
|> > increase in probes for unpatched Microsoft's IIS web server software.
|> >
|> > No destructive payload was immediately identified in the worm,
|> but network
|> > administrators report that the worm consumes massive amounts
|> of bandwidth
|> > in its feverish search for vulnerable servers.
|> >
|> > The virus comes at a time of heightened sensitivity to Internet attack.
|> >
|> > On Monday the U.S. National Infrastructure Protection Center
|> (NIPC) issued
|> > an advisory warning that a group of vigilante hackers called 'The
|> > Dispatchers' have threatened to launch distributed denial of service
|> > attacks against unnamed Internet hosts, in response to the
|> September 11th
|> > terrorist attacks on the United States.
|> >
|> > "The Dispatchers claim to have over 1,000 machines under their
|> control for
|> > the attacks," the advisory reads. "It is likely that the attackers will
|> > mask their operations by using the IP addresses and pirated systems of
|> > uninvolved third parties."
|> >
|> >
|> >
|> > ----------
|> > Michael Burke
|> > Cordova Bay Entertainment Group, Inc
|> > 5159 Beckton Road
|> 250-658-0336 - Tel
|> > Victoria, British Columbia
|> 250-658-0593 - Fax
|> > Canada V8Y 2C2
|> www.cordovabay.com
|> >
|> >
|> > ---------------------------------------------------------------------
|> > Please check
|> "http://www.mysql.com/Manual_chapter/manual_toc.html" before
|> > posting. To request this thread, e-mail
|> myodbc-thread3879@lists.mysql.com
|> >
|> > To unsubscribe, send a message to the address shown in the
|> > List-Unsubscribe header of this message. If you cannot see it,
|> > e-mail myodbc-unsubscribe@lists.mysql.com instead.
|> >
|> >
|>
|>
|> ---------------------------------------------------------------------
|> Please check "http://www.mysql.com/Manual_chapter/manual_toc.html" before
|> posting. To request this thread, e-mail myodbc-thread3880@lists.mysql.com
|>
|> To unsubscribe, send a message to the address shown in the
|> List-Unsubscribe header of this message. If you cannot see it,
|> e-mail myodbc-unsubscribe@lists.mysql.com instead.
|>
|>
---------------------------------------------------------------------
Please check "http://www.mysql.com/Manual_chapter/manual_toc.html" before
posting. To request this thread, e-mail myodbc-thread3881@lists.mysql.com
To unsubscribe, send a message to the address shown in the
List-Unsubscribe header of this message. If you cannot see it,
e-mail myodbc-unsubscribe@lists.mysql.com instead.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic