nslookup/whois the ip (www.ripe.net (euro/africa/mid-east) , www.arin.net (americas) or www.apnic.net (asia pacific), these are the big three ip address maintainers worldwide, whois the ip addy there or nslookup the ipadress and report to its owner/provider and so forth.... cheers, andy ----- Original Message ----- From: "Mario Ohnewald" <mario.ohnewald@gmx.de> To: <suse-security@suse.com> Sent: Wednesday, November 27, 2002 12:33 PM Subject: [suse-security] IIS Worms Hello! What can i do against these worms? [Mon Nov 25 18:18:50 2002] [error] [client 80.145.88.201] File does not exist: /usr/local/httpd/htdocs/scripts/..Á^\../winnt/system32/cmd.exe [Mon Nov 25 18:18:50 2002] [error] [client 80.145.88.201] File does not exist: /usr/local/httpd/htdocs/error/error.html [Mon Nov 25 18:18:53 2002] [error] [client 80.145.88.201] File does not exist: /usr/local/httpd/htdocs/error/error.html [Mon Nov 25 18:18:56 2002] [error] [client 80.145.88.201] File does not exist: /usr/local/httpd/htdocs/scripts/..À¯../winnt/system32/cmd.exe [Mon Nov 25 18:18:56 2002] [error] [client 80.145.88.201] File does not exist: /usr/local/httpd/htdocs/error/error.html [Mon Nov 25 18:19:00 2002] [error] [client 80.145.88.201] File does not exist: /usr/local/httpd/htdocs/scripts/..Á234../winnt/system32/cmd.exe [Mon Nov 25 18:19:00 2002] [error] [client 80.145.88.201] File does not exist: /usr/local/httpd/htdocs/error/error.html [Mon Nov 25 18:19:10 2002] [error] [client 80.145.88.201] File does not exist: /usr/local/httpd/htdocs/scripts/..%5c../winnt/system32/cmd.exe [Mon Nov 25 18:19:10 2002] [error] [client 80.145.88.201] File does not exist: /usr/local/httpd/htdocs/error/error.html [Mon Nov 25 18:19:14 2002] [error] [client 80.145.88.201] File does not exist: /usr/local/httpd/htdocs/scripts/..%2f../winnt/system32/cmd.exe [Mon Nov 25 18:19:14 2002] [error] [client 80.145.88.201] File does not exist: /usr/local/httpd/htdocs/error/error.html [Tue Nov 26 00:43:09 2002] [error] [client 80.133.121.24] File does not exist: /usr/local/httpd/htdocs/scripts/..À¯../winnt/system32/cmd.exe [Tue Nov 26 00:43:09 2002] [error] [client 80.133.121.24] File does not exist: /usr/local/httpd/htdocs/error/error.html [Tue Nov 26 00:43:10 2002] [error] [client 80.133.121.24] File does not exist: /usr/local/httpd/htdocs/scripts/.%2e/.%2e/winnt/system32/cmd.ex [Tue Nov 26 00:43:10 2002] [error] [client 80.133.121.24] File does not exist: /usr/local/httpd/htdocs/error/error.html [Tue Nov 26 06:35:51 2002] [error] [client 211.72.192.249] File does not exist: /usr/local/httpd/htdocs/scripts/..%5c%5c../winnt/system32/cmd. [Tue Nov 26 06:35:51 2002] [error] [client 211.72.192.249] File does not exist: /usr/local/httpd/htdocs/error/error.html [Tue Nov 26 07:59:16 2002] [error] [client 210.241.51.68] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / [Wed Nov 27 09:36:25 2002] [error] [client 80.145.87.190] File does not exist: /usr/local/httpd/htdocs/scripts/root.exe [Wed Nov 27 09:36:25 2002] [error] [client 80.145.87.190] File does not exist: /usr/local/httpd/htdocs/error/error.html [Wed Nov 27 09:36:29 2002] [error] [client 80.145.87.190] File does not exist: /usr/local/httpd/htdocs/MSADC/root.exe [Wed Nov 27 09:36:29 2002] [error] [client 80.145.87.190] File does not exist: /usr/local/httpd/htdocs/error/error.html [Wed Nov 27 10:00:12 2002] [error] [client 80.145.87.190] File does not exist: /usr/local/httpd/htdocs/scripts/root.exe [Wed Nov 27 10:00:12 2002] [error] [client 80.145.87.190] File does not exist: /usr/local/httpd/htdocs/error/error.html [Wed Nov 27 10:00:16 2002] [error] [client 80.145.87.190] File does not exist: /usr/local/httpd/htdocs/MSADC/root.exe [Wed Nov 27 10:00:16 2002] [error] [client 80.145.87.190] File does not exist: /usr/local/httpd/htdocs/error/error.html [Wed Nov 27 10:00:23 2002] [error] [client 80.145.87.190] File does not exist: /usr/local/httpd/htdocs/c/winnt/system32/cmd.exe [Wed Nov 27 10:00:23 2002] [error] [client 80.145.87.190] File does not exist: /usr/local/httpd/htdocs/error/error.html [Wed Nov 27 10:00:27 2002] [error] [client 80.145.87.190] File does not exist: /usr/local/httpd/htdocs/d/winnt/system32/cmd.exe [Wed Nov 27 10:00:27 2002] [error] [client 80.145.87.190] File does not exist: /usr/local/httpd/htdocs/error/error.html How can i reverse the ip to an address like whois does. What do u do against it? I am just bothered because of my mini bandwitdth. cheers, Mario -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

On Wed, 27 Nov 2002, Mario Ohnewald wrote:

Hello! What can i do against these worms?

[Mon Nov 25 18:18:50 2002] [error] [client 80.145.88.201] File does not exist: /usr/local/httpd/htdocs/scripts/..Á^\../winnt/system32/cmd.exe [...] [Wed Nov 27 09:36:25 2002] [error] [client 80.145.87.190] File does not exist: /usr/local/httpd/htdocs/scripts/root.exe

How can i reverse the ip to an address like whois does. What do u do against it? I am just bothered because of my mini bandwitdth.

ip_waneth="your ip of the web server" iptables -t nat -A PREROUTING -p tcp -s 0/0 -d $ip_waneth / --dport 80 -m string --string "/cmd.exe?" -j LOG --log-prefix CODE-RED iptables -t nat -A PREROUTING -p tcp -s 0/0 -d $ip_waneth / --dport 80 -m string --string "/cmd.exe?" -j DROP iptables -t nat -A PREROUTING -p tcp -s 0/0 -d $ip_waneth / --dport 80 -m string --string "/root.exe?" -j LOG --log-prefix CODE-RED iptables -t nat -A PREROUTING -p tcp -s 0/0 -d $ip_waneth / --dport 80 -m string --string "/root.exe?" -j DROP iptables -t nat -A PREROUTING -p tcp -s 0/0 -d $ip_waneth / --dport 80 -m string --string "/default.ida?" -j DROP # my firewall does not log it, I'm not interessted in such trash :-)) # to reverse the IP, use nslookup, but keep in mind that this might not # be usefull, for a lot of reasons ... Achim