Snort mailing list archives
RE: New IIS Worm
From: sduncan () cytechconsult com
Date: Tue, 18 Sep 2001 11:21:54 -0700 (PDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've seen over 400 attacks from 30 ip addresses against a single ip just this morning. Web log files show it is looking for the Code Red back doors. Snort logs show it is using the Unicode directory transversal to look for back doors. My web server is not vulnerable, so I don't know what the worm does after it infects. Let's hope it doesn't perform DDos attacks against American infrastructure targets. I got paranoid when I traced some ip's back to ATT India and reported my attacks to NIPC. Scott Duncan Cytech Security Consulting http://www.cytechconsult.com/ On 18-Sep-2001 McCammon, Keith wrote:
Anyone know anything of a new IIS worm getting around? I'm starting to see systems getting hit with bursts of around 70 attempts at a variety of exploits from a single attacking host. It looks like some of the scripts that we've seen in the past that run the gamut of exploits on a target host, but this seems to be getting around pretty quick. The same attempts have been seen on several IP networks according to some newsgroups, and I've contacted two other business units on separate IP networks to confirm. I'd post the snort logs, but I don't feel like cutting and pasting from the individual log files that are created. If you want them, e-mail me offline and I'll zip 'em up and mail them. Cheers Keith W. McCammon Sr. Network Engineer AdvanceMed Corporation 11710 Plaza America Drive Reston, VA 20190 P - 703.261.4891 F - 703.261.5300
Cytech Security Consulting Internet Security Specialists http://www.cytechconsult.com/ voice: 775-751-5267 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7p5DBk2DKE9dAYTcRAi9sAJsHmC9sj8PfRERlFHIJKXdvBDpxQACfe+Yp zD/Y5pEqcNY8zB2k3JhwDLI= =Ryg5 -----END PGP SIGNATURE----- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: New IIS Worm sduncan (Sep 18)