[42588] in North American Network Operators' Group
Re: Worm probes
daemon@ATHENA.MIT.EDU (ravi pina)
Tue Sep 18 11:40:23 2001
Date: Tue, 18 Sep 2001 11:35:28 -0400
From: ravi pina <ravi@cow.org>
To: up@3.am
Cc: nanog@merit.edu
Message-ID: <20010918113528.V48799@happy.cow.org>
Reply-To: ravi@cow.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.BSF.4.10.10109181101540.36780-100000@richard2.pil.net>; from up@3.am on Tue, Sep 18, 2001 at 11:05:35AM -0400
Errors-To: owner-nanog-outgoing@merit.edu
indeed. scanning for strings that appear to be associated
with the Concept Virus(CV) V.5, there is a tremendous
increase in bandwidth usage. today alone i match:
/scripts: 18013
/_vti_bin: 1885
_mem_bin: 1916
/ms_adc/: 1945
/winnt/system32: 27648
bugtraq is starting to get in the preliminary reports
of this worm. beware that infected host's home pages
contain a javascript that sends you to a page that
attempts to send you a copy of the worm. fantastic, eh?
-r
On Tue, Sep 18, 2001 at 11:05:35AM -0400, up@3.am said at one point in time:
>
>
> ugh...this is way more impact...a 128k ISDN customer running an NT/Win2k
> box is at 100% BW, and my 2x T1's are at about 2x normal traffic for this
> time of day, although still well short of capacity...apache server
> processor load is WAY up just from the requests, and the logs are growing
> like mad.
>
> On Tue, 18 Sep 2001, deeann mikula wrote:
>
> >
> > On Tue, 18 Sep 2001, ravi pina wrote:
> >
> > >
> > > On Tue, Sep 18, 2001 at 09:54:31AM -0400, sigma@pair.com said at one point in time:
> > > >
> > > >
> > > > Has anyone else been seeing a dramatic increase in /scripts/.. NT worm
> > > > probes this morning? We're seeing about 8000/second, starting around 9:15
> > > > Eastern time, to and from a wide variety of addresses.
> > >
> > > affirmative. i just looked at my logs, and it looks like
> > > each probe tries a bunch of things. i haven't seen much
> > > on the lists, but i'm looking right now.
> >
> > i'm pretty sure that the worm's attack phase starts on the 20th (which
> > of course, depends upon a correctly set system clock) and also that
> > attempting to execute something like /scripts/root.ext/c++ something
> > is involved.
> >
> > i think that cert's website would be a good place to look. i'm *not*
> > a security/virus chick, but i did host a talk by marty linder of cert
> > where he discected code red's activity and presented a summary.
> >
> > cert is of course, http://www.cert.org.
> >
> >
> > deeann m.m. mikula
> >
> > director of operations
> > telerama public access internet
> > http://www.telerama.com
> > 1.877.688.3200
> >
> >
> >
> >
>
> James Smallacombe PlantageNet, Inc. CEO and Janitor
> up@3.am http://3.am
> =========================================================================
--
echo "send pgp key" | mail ravi@cow.org ; ravi@happy:/home/ravi# rm -rf /bin/laden
"Now I don't want you to worry, class. These tests will have no effect on
your grades. They merely determine your future social status and
financial success. If any." -- Mrs. Krabappel
