[Snort-users] RE: New IIS Worm

sduncan at ...3495... sduncan at ...3495...
Tue Sep 18 11:37:01 EDT 2001

Hash: SHA1

I've seen over 400 attacks from 30 ip addresses against a single ip just this
morning. Web log files show it is looking for the Code Red back doors. Snort
logs show it is using the Unicode directory transversal to look for back doors.
My web server is not vulnerable, so I don't know what the worm does after it
infects. Let's hope it doesn't perform DDos attacks against American
infrastructure targets.

I got paranoid when I traced some ip's back to ATT India and reported my
attacks to NIPC. 

Scott Duncan
Cytech Security Consulting

On 18-Sep-2001 McCammon, Keith wrote:
> Anyone know anything of a new IIS worm getting around?  I'm starting to see
> systems getting hit with bursts of around 70 attempts at a variety of
> exploits from a single attacking host.  It looks like some of the scripts
> that we've seen in the past that run the gamut of exploits on a target host,
> but this seems to be getting around pretty quick.
> The same attempts have been seen on several IP networks according to some
> newsgroups, and I've contacted two other business units on separate IP
> networks to confirm.
> I'd post the snort logs, but I don't feel like cutting and pasting from the
> individual log files that are created.  If you want them, e-mail me offline
> and I'll zip 'em up and mail them.
> Cheers
> Keith W. McCammon
> Sr. Network Engineer
> AdvanceMed Corporation
> 11710 Plaza America Drive
> Reston, VA 20190
> P - 703.261.4891 
> F - 703.261.5300

Cytech Security Consulting
Internet Security Specialists
voice: 775-751-5267

Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org


More information about the Snort-users mailing list