Hi to me this looks like some kind of nimda or code red. you can filter this using iptables string match. Philipp

-----Original Message----- From: Marcel Erkens [mailto:merkens@safenebraska.org] Sent: Wednesday, November 27, 2002 9:30 AM To: suse-security@suse.com Subject: Re: [suse-security] IIS Worms

hehe.. good luck dealing with isp's on this...

http://freebsdmatrix.net/iisworm/

A fun little script that'll automatically send out emails to parent netblock owners...

Might be easier then doing all the work manually ;)

On Wednesday 27 November 2002 11:41, Andreas Bittner wrote:

...

nslookup/whois the ip (www.ripe.net (euro/africa/mid-east) , www.arin.net (americas) or www.apnic.net (asia pacific), these are the big three ip address maintainers worldwide, whois the ip addy there or nslookup the ipadress and report to its owner/provider and so forth....

cheers, andy

----- Original Message ----- From: "Mario Ohnewald" <mario.ohnewald@gmx.de> To: <suse-security@suse.com> Sent: Wednesday, November 27, 2002 12:33 PM Subject: [suse-security] IIS Worms

Hello! What can i do against these worms?

[Mon Nov 25 18:18:50 2002] [error] [client 80.145.88.201] File does not exist: /usr/local/httpd/htdocs/scripts/..Á^\../winnt/system32/cmd.exe [Mon Nov 25 18:18:50 2002] [error] [client 80.145.88.201] File does not exist: /usr/local/httpd/htdocs/error/error.html [Mon Nov 25 18:18:53 2002] [error] [client 80.145.88.201] File does not exist: /usr/local/httpd/htdocs/error/error.html [Mon Nov 25 18:18:56 2002] [error] [client 80.145.88.201] File does not exist: /usr/local/httpd/htdocs/scripts/..À¯../winnt/system32/cmd.exe [Mon Nov 25 18:18:56 2002] [error] [client 80.145.88.201] File does not exist: /usr/local/httpd/htdocs/error/error.html [Mon Nov 25 18:19:00 2002] [error] [client 80.145.88.201] File does not exist: /usr/local/httpd/htdocs/scripts/..Á234../winnt/system32/cmd.exe [Mon Nov 25 18:19:00 2002] [error] [client 80.145.88.201] File does not exist: /usr/local/httpd/htdocs/error/error.html [Mon Nov 25 18:19:10 2002] [error] [client 80.145.88.201] File does not exist: /usr/local/httpd/htdocs/scripts/..%5c../winnt/system32/cmd.exe [Mon Nov 25 18:19:10 2002] [error] [client 80.145.88.201] File does not exist: /usr/local/httpd/htdocs/error/error.html [Mon Nov 25 18:19:14 2002] [error] [client 80.145.88.201] File does not exist: /usr/local/httpd/htdocs/scripts/..%2f../winnt/system32/cmd.exe [Mon Nov 25 18:19:14 2002] [error] [client 80.145.88.201] File does not exist: /usr/local/httpd/htdocs/error/error.html [Tue Nov 26 00:43:09 2002] [error] [client 80.133.121.24] File does not exist: /usr/local/httpd/htdocs/scripts/..À¯../winnt/system32/cmd.exe [Tue Nov 26 00:43:09 2002] [error] [client 80.133.121.24] File does not exist: /usr/local/httpd/htdocs/error/error.html [Tue Nov 26 00:43:10 2002] [error] [client 80.133.121.24] File does not exist: /usr/local/httpd/htdocs/scripts/.%2e/.%2e/winnt/system32/cmd.ex [Tue Nov 26 00:43:10 2002] [error] [client 80.133.121.24] File does not exist: /usr/local/httpd/htdocs/error/error.html [Tue Nov 26 06:35:51 2002] [error] [client 211.72.192.249] File does not exist: /usr/local/httpd/htdocs/scripts/..%5c%5c../winnt/system32/cmd. [Tue Nov 26 06:35:51 2002] [error] [client 211.72.192.249] File does not exist: /usr/local/httpd/htdocs/error/error.html [Tue Nov 26 07:59:16 2002] [error] [client 210.241.51.68] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / [Wed Nov 27 09:36:25 2002] [error] [client 80.145.87.190] File does not exist: /usr/local/httpd/htdocs/scripts/root.exe [Wed Nov 27 09:36:25 2002] [error] [client 80.145.87.190] File does not exist: /usr/local/httpd/htdocs/error/error.html [Wed Nov 27 09:36:29 2002] [error] [client 80.145.87.190] File does not exist: /usr/local/httpd/htdocs/MSADC/root.exe [Wed Nov 27 09:36:29 2002] [error] [client 80.145.87.190] File does not exist: /usr/local/httpd/htdocs/error/error.html [Wed Nov 27 10:00:12 2002] [error] [client 80.145.87.190] File does not exist: /usr/local/httpd/htdocs/scripts/root.exe [Wed Nov 27 10:00:12 2002] [error] [client 80.145.87.190] File does not exist: /usr/local/httpd/htdocs/error/error.html [Wed Nov 27 10:00:16 2002] [error] [client 80.145.87.190] File does not exist: /usr/local/httpd/htdocs/MSADC/root.exe [Wed Nov 27 10:00:16 2002] [error] [client 80.145.87.190] File does not exist: /usr/local/httpd/htdocs/error/error.html [Wed Nov 27 10:00:23 2002] [error] [client 80.145.87.190] File does not exist: /usr/local/httpd/htdocs/c/winnt/system32/cmd.exe [Wed Nov 27 10:00:23 2002] [error] [client 80.145.87.190] File does not exist: /usr/local/httpd/htdocs/error/error.html [Wed Nov 27 10:00:27 2002] [error] [client 80.145.87.190] File does not exist: /usr/local/httpd/htdocs/d/winnt/system32/cmd.exe [Wed Nov 27 10:00:27 2002] [error] [client 80.145.87.190] File does not exist: /usr/local/httpd/htdocs/error/error.html

How can i reverse the ip to an address like whois does. What do u do against it? I am just bothered because of my mini bandwitdth.

cheers, Mario

-- "They that give up essential liberty to obtain a little temporary safety... deserve neither safety nor liberty." - Benjamin Franklin(1759)

-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here