New (More) Annoying Microsoft Worm Hits Net
Here are examples of the requests it's sending:
GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../
..%c1%1c../winnt/system32/cmd.exe?/c+dir
GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
While writing this story I was hit a total of 4 times, 16 GET attempts per attack. In only 4 minutes. Also of interest, My desktop has now been hit about 500 times today, all from 208.x.x.x IPs. This might be really bad. I still haven't read anything about this anywhere else, so you heard it here first ;)
Update Web servers compromised by this worm apparently attach a "readme.eml" to all web pages served... and due to a bug in IE5, it will automatically execute the file! Yay Internet Explorer!
If its scanning subnets, this could very well explain why I cant reach my machine at home (Roadrunner).
Its probably generation a sh*tload of traffic.
Can anyone on 24.x.x.x verify?
Here, have some goatsex to go along with those raw sockets.
"Horribly affected"? Sounds like Stileproject!
Got Rhinos?
Arse? When did you move to England (or Ireland), Rob?
The thing is, the shotgun approach *always* works when it comes to Microsoft systems. They're so swisscheesy that skr1pt k1dd13z don't even have to work to write code for them, they just shotgun it and know that they'll get into a good percentage of the ones attacked, then they rinse and repeat.
Got Rhinos?
On October 30th 1997 my best friend Rob slept over my house. The House itself was farily nice, 5 bedrooms, nice first floor and a cool loft (no basement). The Loft was where my friends and I played games (I was 10 at the time) and made forts out of bed sheets. So on the 30th (The day before our School's Secretary's funeral who died the previous week) My parents go out to Maryland to clean a house which they had just sold, my brother was at a friends and Rob and I were alone in the house. So after watching alot of movies we went up to the loft to go to sleep. At around 1:00 I went down to the first floor to get a glass of water (and some snacks) leaving Rob by himself. As he explains it we was being tapped lightly on the shoulder and his first reaction was to say " Stop it Jerk I'm trying to sleep" it repeated about 10 more times until he finally looked over and saw nothing. So he brushed it off and went back to sleep while I was downstairs (now watching a movie with the snacks I picked out). He started to hear a voice saying something like "Get out" or "Get up" and got up and looked around only to find me walking up the stairs. He told me what had happened and I was not suprised. At the Time I first moved into the house I had similar occurences in my Room. Later that year my family moved from the house and all is well.....................hopefully it will stay like this.
Microsoft has cost ISPs, businesses, and end users an incalculable amount of money and frustration and it is all due to their negligence. They were negligent when they created software and technologies that are so easily exploited. They were negligent in their testing of their products. They were negligent in not sending patch CDs through the mail to registered users. If they can send you upgrade offers via the mail, they can send you patch CDs to repair their defective products.
And before anyone starts quoting the Microsoft license, ISPs that run Linux/*BSD/Solaris are being hurt by the traffic, too. They have no license with Microsoft and they've been injured by Microsoft's negligence.
I'd like to see AOL, Earthlink, or some other big ISP take Microsoft's corporate butt to court, demanding compensatory and punitive damages for Microsoft's negligence.
i have a better solution
get 2 floppies
make freebsd kernel & mfsroot disks from www.freebsd.org
reboot your machine
install freebsd
simple, no more lame attacks from IIS machines
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
> One thing to note is the attempt to execute TFTP.EXE to download a file called ADMIN.DLL from (presumably) some previously compromised box.
> Anyone who discovers a compromised machine (a machine with ADMIN.DLL in the
Ehrm, won't that take care of itself if you just leave your machine on the network for a while?
Sheesh, evil *and* a jerk. -- Jade
> It's something new attacking something old. It looks to me like its trying a few of the old IIS vulnerabilities...
Suppose someone wrote a worm that, whenever it managed to root a box, would undo the patches that finally killed off the famous worms of the past, and also remove the anti-virus software's data files.
Since many of those worms/viruses are still lurking about at the level of background noise, they would suddenly find a vastly expanded niche and start attacking machines that had formerly been off limits to them.
You could get a huge pile-up of worms and viruses all "re-released" simultaneously.
Sheesh, evil *and* a jerk. -- Jade
fdisk?
Liberty in your lifetime
well what kind of a friend to you have?
Shouldn't you be sucking Malda's cock and begging him to teach you Perl?