We are seeing it here too. It looks like it's just looking for compromised machines... -----Original Message----- From: tclug-list-admin at mn-linux.org [mailto:tclug-list-admin at mn-linux.org]On Behalf Of Dave Sherman Sent: Tuesday, September 18, 2001 9:47 AM To: TC-LUG Subject: [TCLUG] New Worm based on Code Red? [Fwd: Re: Code Red 2 infecting one of your systems] Anybody hear of a new worm based on Code Red? This guy that I am talking to seems to think so. Dave Forwarded message: > Some of this looks to be possibly a new worm that is making the rounds. I > will have one of my staff contact the owner of the server to see if they can > shut this down. > > On 18 Sep 2001, Dave Sherman wrote: > > > Hello, > > > > I am not one of your customers, but I run a website, and I have noticed > > that one of your hosts is scanning me for the Code Red 2 trojan. This is > > rather annoying, considering how long it has been since Code Red first > > appeared. I have included portions of my Apache logs for your > > convenience. I am located in Minneapolis, MN (Central Standard Time). > > You may reach me at dsherman at real-time.com > > > > Thank you for your prompt assistance, > > Dave Sherman > > > > SNIPPET FROM ERROR LOG: > > [Tue Sep 18 08:58:39 2001] [error] [client 208.20.99.1] File does not > > exist: /home/httpd/html/scripts/../../winnt/system32/cmd.exe > > [Tue Sep 18 08:58:39 2001] [error] [client 208.20.99.1] File does not > > exist: /home/httpd/html/scripts/..Á../winnt/system32/cmd.exe > > [Tue Sep 18 08:58:41 2001] [error] [client 208.20.99.1] File does not > > exist: /home/httpd/html/scripts/..%5c../winnt/system32/cmd.exe > > > > SNIPPET FROM ACCESS LOG: > > 208.20.99.1 - - [18/Sep/2001:08:58:41 -0500] "GET > > /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 > > 208.20.99.1 - - [18/Sep/2001:08:58:41 -0500] "GET > > /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 > >