New (More) Annoying Microsoft Worm Hits Net 1163
Here are examples of the requests it's sending:
GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../
..%c1%1c../winnt/system32/cmd.exe?/c+dir
GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
While writing this story I was hit a total of 4 times, 16 GET attempts per attack. In only 4 minutes. Also of interest, My desktop has now been hit about 500 times today, all from 208.x.x.x IPs. This might be really bad. I still haven't read anything about this anywhere else, so you heard it here first ;)
Update Web servers compromised by this worm apparently attach a "readme.eml" to all web pages served... and due to a bug in IE5, it will automatically execute the file! Yay Internet Explorer!
What's the problem? (Score:5, Funny)
"You have new mail, you open it. Your server begins port scanning every box on the internet. Do the server's mind? Of course not, they have nothing better to do." - New Microsoft Ad?
Re:Wrong name (Score:5, Funny)
I was surfing some porn sites this morning and they seemed horribly affected (none of the images would load and they were slow as hell).
ugh. Just when you thought it was safe to disable "assholes_log".
Re:Bleah...my firewall logs all of this... (Score:4, Funny)
Duh! Flipping back and forth between the sites, Slashdot, ssh, answering the phone and guzzling coffee, I didn't notice that IE was crashing, Norton antivirus was triggering... shit.
I'm an idiot. Okay - have I infected my machine? I'm afraid I've been automatically triggering 'readme.eml'. I'm running NT4.0 sp6.
Re:Too Slow (Score:3, Funny)
Preaching to the converted
lemme sing you a song... (Score:2, Funny)
I LOVE IIS, PUT ANOTHER WORM IN MY SERVER BABY!
Re:Bleah...my firewall logs all of this... (Score:2, Funny)
Re:Bleah...my firewall logs all of this... (Score:1, Funny)
Score: -1, Redundant
Ask them for /etc/passwd!! (Score:5, Funny)
Re:Outlook Express 6.0 can prevent spread (Score:2, Funny)
Wow... brilliant... I can just imagine Microsoft's response to the IIS vulnerabilities.
From [future edition of] MSDN:
"To secure IIS, do the following:
Go to Tools > Options > Security and check the box labeled 'Do not allow connections to this machine'."
Redirect those to Microsoft (Score:2, Funny)
rules to http://www.microsoft.com for
In itself that should be a good punition.
Daniel
Re:Time for a class action lawsuit against Microso (Score:3, Funny)
No. Users were negligent in purchasing and deploying software that was already known ahead of time, to be defective.
Microsoft's reputation is well established. Ignorance is no excuse.
Re:Yep, we're seeing them here too. (Score:2, Funny)
but Windows do you.
347 Nimda requests recorded in access.log and counting.