Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: New IIS Worm

From: sduncan () cytechconsult com
Date: Tue, 18 Sep 2001 11:21:54 -0700 (PDT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've seen over 400 attacks from 30 ip addresses against a single ip just this
morning. Web log files show it is looking for the Code Red back doors. Snort
logs show it is using the Unicode directory transversal to look for back doors.
My web server is not vulnerable, so I don't know what the worm does after it
infects. Let's hope it doesn't perform DDos attacks against American
infrastructure targets.

I got paranoid when I traced some ip's back to ATT India and reported my
attacks to NIPC. 

Scott Duncan
Cytech Security Consulting
http://www.cytechconsult.com/

On 18-Sep-2001 McCammon, Keith wrote:

Anyone know anything of a new IIS worm getting around?  I'm starting to see
systems getting hit with bursts of around 70 attempts at a variety of
exploits from a single attacking host.  It looks like some of the scripts
that we've seen in the past that run the gamut of exploits on a target host,
but this seems to be getting around pretty quick.

The same attempts have been seen on several IP networks according to some
newsgroups, and I've contacted two other business units on separate IP
networks to confirm.

I'd post the snort logs, but I don't feel like cutting and pasting from the
individual log files that are created.  If you want them, e-mail me offline
and I'll zip 'em up and mail them.

Cheers

Keith W. McCammon
Sr. Network Engineer
AdvanceMed Corporation
11710 Plaza America Drive
Reston, VA 20190
P - 703.261.4891 
F - 703.261.5300


Cytech Security Consulting
Internet Security Specialists
http://www.cytechconsult.com/
voice: 775-751-5267


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7p5DBk2DKE9dAYTcRAi9sAJsHmC9sj8PfRERlFHIJKXdvBDpxQACfe+Yp
zD/Y5pEqcNY8zB2k3JhwDLI=
=Ryg5
-----END PGP SIGNATURE-----

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: