Uncategorized admin on 05 Aug 2001 08:00 am
Help rid the net of the MickeySoft Menace!
It seems like we’re well into Round 2 of the CodeRed worm. I’ve had 130 hits on one of my servers and this domain has had 123 unique hits. But, this server (which hosts 345 web sites!) has had a total of 38,736 hits.
There are two strains now. One looks like this:
164.73.191.6 - - [20/Jul/2001:05:38:42 -0500] “GET /default.ida?NNNNNNNNNNNNN… (etc)…NNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801% u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00% u531b%u53ff%u0078%u0000%u00=a HTTP/1.0″ 404 284
The new one looks like this:
61.43.209.44 - - [05/Aug/2001:01:14:09 -0500] “GET /default.ida?XXXXXXXXXXXXX… (etc)…XXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801% u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00% u531b%u53ff%u0078%u0000%u00=a HTTP/1.0″ 404 284
You can now do cool things like this:
http://infected_system/scripts/root.exe?/c+dir+c:That will give you a directory of their C: drive; how quaint! Now are you going to patch your IIS server? Hmmmm?
You can do your part by sending in your logs. Of course, running Apache is a good way to avoid any problems as well.