RE: new worm going around?

• From: "Peter J. Persing" <Peter@xxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Tue, 18 Sep 2001 11:59:14 -0600

Me too! I'm getting them by the thousands starting at about 7:30 AM
today.

Pete
 
On the Blackfoot River in the great state of Montana
 
 


-----Original Message-----
From: Michael Jankowski [mailto:skyjumpr@xxxxxxxxxxx] 
Sent: Tuesday, September 18, 2001 11:40 AM
To: [ISAserver.org Discussion List]
Subject: RE: [isalist] RE: new worm going around?


Looking thru my logs I've seen attacks from source addresses that had
previously been trying to pass the code red virus/trojan. These new
attacks may be or new variation of code red or they could be a script
ran from those machines that were infected (and never cleaned up). One
of the results of code red is that it made it possible for someone to
install a backdoor into the system, thereby, allowing some other code to
be ran at a later time. This may be that code, or perhaps someone just
figured out a way to take advantage of the infected machines.

Michael


-----Original Message-----
From:   Nick Chadwick
Sent:   Tue 9/18/2001 11:01 AM
To:     [ISAserver.org Discussion List]
Cc:     
Subject:        [isalist] RE: new worm going around?
http://www.ISAserver.org


This worm could be extremely nasty...testing a variant of one of the
requests in my web proxy log, I deleted a file from the root directory
of my ISA server.

If you're not 100% sure your web server is immune to these requests, I
suggest shutting it down now.

Nick Chadwick
Development & Technical Support Manager
Comsoft Limited, UK
Tel: +44-(0)20-8240-4452  Fax: +44-(0)20-8240-4449  Mobile:
+44-(0)7740-362408
Email: nick@xxxxxxxxxxxxxx <mailto:nick@xxxxxxxxxxxxxx>
Web: http://www.comsoft.ltd.uk/


-----Original Message-----
From: Shayne Lebrun [mailto:slebrun@xxxxxxxxxxx]
Sent: 18 September 2001 16:52
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: new worm going around?


http://www.ISAserver.org


As a precaution, I suggest you shut down port 69/UDP, which is tftp.

-----Original Message-----
From: marc.boutin@xxxxxxxxx [mailto:marc.boutin@xxxxxxxxx]
Sent: Tuesday, September 18, 2001 11:51 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: new worm going around?


http://www.ISAserver.org


So is mine !  It's been hit since this morning ! And it hasn't stop...



-----Original Message-----
From: Nick Chadwick [mailto:nick@xxxxxxxxxxxxxx]
Sent: Tuesday, September 18, 2001 11:50 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: new worm going around?


http://www.ISAserver.org


Yes, my ISA server is being hit by it. Every 10 minutes or so, it's
being hit 50 times in a matter of seconds.

Nick Chadwick
Development & Technical Support Manager
Comsoft Limited, UK
Tel: +44-(0)20-8240-4452  Fax: +44-(0)20-8240-4449  Mobile:
+44-(0)7740-362408
Email: nick@xxxxxxxxxxxxxx <mailto:nick@xxxxxxxxxxxxxx>
Web: http://www.comsoft.ltd.uk/


-----Original Message-----
From: Shayne Lebrun [mailto:slebrun@xxxxxxxxxxx]
Sent: 18 September 2001 16:36
To: [ISAserver.org Discussion List]
Subject: [isalist] new worm going around?


http://www.ISAserver.org


http://slashdot.org/article.pl?sid=01/09/18/151203&mode=nested

Anybody else seeing this?  Lots of attacks on various places cmd.exe
might be.

ISA Snippity-snippit

207.175.201.20  anonymous       -       N       2001-09-18      13:33:53
W3ReverseProxy  GATEKEEPER      -       www     -       -       -
70      -       -       TCP     GET     http://www/MSADC/root.exe?/c+dir
-       -       12202   0x0     Default rule    -


Shayne Lebrun
Senior Systems Administrator
Veredex Logistics
slebrun@xxxxxxxxxxx
Office: (905) 282-1515 x 242
Pager: page_shayne@xxxxxxxxxxx

Think your network might have Code Red?  Find those pesky root.exe files
with Root Finder: http://www.tangozone.com/slebrun/downloads.tml

From a Sun Microsystems bug report (#4102680):
"Workaround: don't pound on the mouse like a wild monkey."

Want to hold up a bank in Latin?
"Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum
immane mittam." (I have a catapult. Give me all the money, or I will
fling an enormous rock at your head.)

"Lawyers are like chemical weapons.  Everybody gets screwed if they're
let out."
 

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
nick@xxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')


**********************************************************************
Disclaimer: This e-mail contains proprietary information some or all of
which may be legally privileged. It is for the intended recipient only.
If an addressing or transmission error has misdirected this e-mail,
please notify the author by replying to this e-mail and then permanently
delete the message from your computer. If you are not the intended
recipient you must not use, disclose, distribute, copy, print or rely on
the e-mail.

The opinion expressed in this Email is that of the author and not 
necessarily that of Comsoft Limited.

While attachments are virus checked, Comsoft Limited do not accept any
liability in respect of a virus which is not detected.
**********************************************************************

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
marc.boutin@xxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
slebrun@xxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
nick@xxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')


**********************************************************************
Disclaimer: This e-mail contains proprietary information some or all of
which may be legally privileged. It is for the intended recipient only.
If an addressing or transmission error has misdirected this e-mail,
please notify the author by replying to this e-mail and then permanently
delete the message from your computer. If you are not the intended
recipient you must not use, disclose, distribute, copy, print or rely on
the e-mail.

The opinion expressed in this Email is that of the author and not 
necessarily that of Comsoft Limited.

While attachments are virus checked, Comsoft Limited do not accept any
liability in respect of a virus which is not detected.
**********************************************************************

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
skyjumpr@xxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

Other related posts:

• » new worm going around?
• » RE: new worm going around?
• » RE: new worm going around?
• » RE: new worm going around?
• » RE: new worm going around?
• » RE: new worm going around?
• » RE: new worm going around?
• » RE: new worm going around?

1. Home
2. isalist
3. Archive
4. 09-2001

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---