Anybody hear of a new worm based on Code Red? This guy that I am talking
to seems to think so.

Dave

Forwarded message: 
> Some of this looks to be possibly a new worm that is making the rounds.  I
> will have one of my staff contact the owner of the server to see if they can
> shut this down.
> 
> On 18 Sep 2001, Dave Sherman wrote:
> 
> > Hello,
> >
> > I am not one of your customers, but I run a website, and I have noticed
> > that one of your hosts is scanning me for the Code Red 2 trojan. This is
> > rather annoying, considering how long it has been since Code Red first
> > appeared. I have included portions of my Apache logs for your
> > convenience. I am located in Minneapolis, MN (Central Standard Time).
> > You may reach me at dsherman at real-time.com
> >
> > Thank you for your prompt assistance,
> > Dave Sherman
> >
> > SNIPPET FROM ERROR LOG:
> > [Tue Sep 18 08:58:39 2001] [error] [client 208.20.99.1] File does not
> > exist: /home/httpd/html/scripts/../../winnt/system32/cmd.exe
> > [Tue Sep 18 08:58:39 2001] [error] [client 208.20.99.1] File does not
> > exist: /home/httpd/html/scripts/..Á../winnt/system32/cmd.exe
> > [Tue Sep 18 08:58:41 2001] [error] [client 208.20.99.1] File does not
> > exist: /home/httpd/html/scripts/..%5c../winnt/system32/cmd.exe
> >
> > SNIPPET FROM ACCESS LOG:
> > 208.20.99.1 - - [18/Sep/2001:08:58:41 -0500] "GET
> > /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
> > 208.20.99.1 - - [18/Sep/2001:08:58:41 -0500] "GET
> > /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
> >

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://shadowknight.real-time.com/pipermail/tclug-list/attachments/20010918/8d17ab1c/attachment.pgp