Yes, I am seeing it as well. I'm using tcpdump to try to track it down. So far I've been able to correlate it to just/one/ of my virtual hosts. It doesn't happen everytime the worm hits me, just when a particular site I host gets hit. This virtual host has a few uncommon things about it:
1) It doesn't log IP addresses.
2) It redirects 404s.
3) It has 32 other Redirect Permanent statements.
4) Options Includes FollowSymLinks ExecCGI
Apparently it's happening when one of these two files is requested (more likely the 2nd one):
/scripts/..Á../winnt/system32/cmd.exe
/scripts/..À../winnt/system32/cmd.exe
Slashdot Mirror
Yes, I am seeing it as well. I'm using tcpdump to try to track it down. So far I've been able to correlate it to just /one/ of my virtual hosts. It doesn't happen everytime the worm hits me, just when a particular site I host gets hit. This virtual host has a few uncommon things about it:
1) It doesn't log IP addresses.
2) It redirects 404s.
3) It has 32 other Redirect Permanent statements.
4) Options Includes FollowSymLinks ExecCGI
Apparently it's happening when one of these two files is requested (more likely the 2nd one):
/scripts/..Á../winnt/system32/cmd.exe
/scripts/..À../winnt/system32/cmd.exe
Apache 1.2.20, PHP 4.0.6, kernel 2.4.9, mod_perl 1.26, KRUD 7.1 (RH7.1 based distro)
I have Segfaulted 300+ times today, 0 yesterday.
Ideas anyone?
I have a mirror of videos from various sources on the 'net. See:
US: media.us.ametrika.com
UK: media.uk.ametrika.com