Me too! I'm getting them by the thousands starting at about 7:30 AM today. Pete On the Blackfoot River in the great state of Montana -----Original Message----- From: Michael Jankowski [mailto:skyjumpr@xxxxxxxxxxx] Sent: Tuesday, September 18, 2001 11:40 AM To: [ISAserver.org Discussion List] Subject: RE: [isalist] RE: new worm going around? Looking thru my logs I've seen attacks from source addresses that had previously been trying to pass the code red virus/trojan. These new attacks may be or new variation of code red or they could be a script ran from those machines that were infected (and never cleaned up). One of the results of code red is that it made it possible for someone to install a backdoor into the system, thereby, allowing some other code to be ran at a later time. This may be that code, or perhaps someone just figured out a way to take advantage of the infected machines. Michael -----Original Message----- From: Nick Chadwick Sent: Tue 9/18/2001 11:01 AM To: [ISAserver.org Discussion List] Cc: Subject: [isalist] RE: new worm going around? http://www.ISAserver.org This worm could be extremely nasty...testing a variant of one of the requests in my web proxy log, I deleted a file from the root directory of my ISA server. If you're not 100% sure your web server is immune to these requests, I suggest shutting it down now. Nick Chadwick Development & Technical Support Manager Comsoft Limited, UK Tel: +44-(0)20-8240-4452 Fax: +44-(0)20-8240-4449 Mobile: +44-(0)7740-362408 Email: nick@xxxxxxxxxxxxxx <mailto:nick@xxxxxxxxxxxxxx> Web: http://www.comsoft.ltd.uk/ -----Original Message----- From: Shayne Lebrun [mailto:slebrun@xxxxxxxxxxx] Sent: 18 September 2001 16:52 To: [ISAserver.org Discussion List] Subject: [isalist] RE: new worm going around? http://www.ISAserver.org As a precaution, I suggest you shut down port 69/UDP, which is tftp. -----Original Message----- From: marc.boutin@xxxxxxxxx [mailto:marc.boutin@xxxxxxxxx] Sent: Tuesday, September 18, 2001 11:51 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: new worm going around? http://www.ISAserver.org So is mine ! It's been hit since this morning ! And it hasn't stop... -----Original Message----- From: Nick Chadwick [mailto:nick@xxxxxxxxxxxxxx] Sent: Tuesday, September 18, 2001 11:50 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: new worm going around? http://www.ISAserver.org Yes, my ISA server is being hit by it. Every 10 minutes or so, it's being hit 50 times in a matter of seconds. Nick Chadwick Development & Technical Support Manager Comsoft Limited, UK Tel: +44-(0)20-8240-4452 Fax: +44-(0)20-8240-4449 Mobile: +44-(0)7740-362408 Email: nick@xxxxxxxxxxxxxx <mailto:nick@xxxxxxxxxxxxxx> Web: http://www.comsoft.ltd.uk/ -----Original Message----- From: Shayne Lebrun [mailto:slebrun@xxxxxxxxxxx] Sent: 18 September 2001 16:36 To: [ISAserver.org Discussion List] Subject: [isalist] new worm going around? http://www.ISAserver.org http://slashdot.org/article.pl?sid=01/09/18/151203&mode=nested Anybody else seeing this? Lots of attacks on various places cmd.exe might be. ISA Snippity-snippit 207.175.201.20 anonymous - N 2001-09-18 13:33:53 W3ReverseProxy GATEKEEPER - www - - - 70 - - TCP GET http://www/MSADC/root.exe?/c+dir - - 12202 0x0 Default rule - Shayne Lebrun Senior Systems Administrator Veredex Logistics slebrun@xxxxxxxxxxx Office: (905) 282-1515 x 242 Pager: page_shayne@xxxxxxxxxxx Think your network might have Code Red? Find those pesky root.exe files with Root Finder: http://www.tangozone.com/slebrun/downloads.tml From a Sun Microsystems bug report (#4102680): "Workaround: don't pound on the mouse like a wild monkey." Want to hold up a bank in Latin? "Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum immane mittam." (I have a catapult. Give me all the money, or I will fling an enormous rock at your head.) "Lawyers are like chemical weapons. Everybody gets screwed if they're let out." ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: nick@xxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ********************************************************************** Disclaimer: This e-mail contains proprietary information some or all of which may be legally privileged. It is for the intended recipient only. If an addressing or transmission error has misdirected this e-mail, please notify the author by replying to this e-mail and then permanently delete the message from your computer. If you are not the intended recipient you must not use, disclose, distribute, copy, print or rely on the e-mail. The opinion expressed in this Email is that of the author and not necessarily that of Comsoft Limited. While attachments are virus checked, Comsoft Limited do not accept any liability in respect of a virus which is not detected. ********************************************************************** ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: marc.boutin@xxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: slebrun@xxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: nick@xxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ********************************************************************** Disclaimer: This e-mail contains proprietary information some or all of which may be legally privileged. It is for the intended recipient only. If an addressing or transmission error has misdirected this e-mail, please notify the author by replying to this e-mail and then permanently delete the message from your computer. If you are not the intended recipient you must not use, disclose, distribute, copy, print or rely on the e-mail. The opinion expressed in this Email is that of the author and not necessarily that of Comsoft Limited. While attachments are virus checked, Comsoft Limited do not accept any liability in respect of a virus which is not detected. ********************************************************************** ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: skyjumpr@xxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')