[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: am i being wormed? aaugh!

No, you may not panic.  It's an IIS exploit.  Code Red to be precise.

On Sat, 4 Aug 2001, will trillich wrote:

>i get this http request a couple of times every hour via my own
>home-grown DBIlog.pm (mod-perl/apache) httpd logger:
>
>at       | 2001-07-19 10:19:18-05
>client   | 216.82.8.136
>method   | GET
>server   | www.serensoft.com
>url      |
>/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3
>	[and that's truncated!]
>who      |
>referer  | ?
>browser  | ?
>status   | 404
>bytes    | 1686
>wall     | 1
>cpuuser  | 0
>cpusys   | 0
>cpucuser | 0.47
>cpucsys  | 0.02
>
>> select at,client from hits where url like '%NNNNNNNN%';
>           at           |     client
>------------------------+-----------------
> 2001-07-19 10:19:18-05 | 216.82.8.136
> 2001-07-19 11:08:14-05 | 206.135.192.133
> 2001-07-19 12:02:27-05 | 202.142.100.64
> 2001-07-19 12:10:14-05 | 203.231.125.121
> 2001-07-19 12:13:29-05 | 169.237.108.208
> 2001-07-19 13:26:02-05 | 203.193.49.130
> 2001-07-19 13:50:50-05 | 158.103.185.221
> 2001-07-19 14:03:21-05 | 213.201.12.36
> 2001-07-19 14:14:51-05 | 211.254.187.41
> 2001-07-19 15:19:28-05 | 24.166.65.184
> 2001-07-19 15:42:57-05 | 202.232.40.70
> 2001-07-19 15:50:15-05 | 216.76.214.121
> 2001-07-19 16:01:38-05 | 209.222.212.42
> 2001-07-19 16:45:44-05 | 194.125.139.18
> 2001-07-19 16:47:23-05 | 141.154.114.178
> 2001-07-19 17:09:30-05 | 216.32.193.157
> 2001-07-19 17:27:37-05 | 65.193.43.221
> 2001-07-19 17:52:35-05 | 195.221.249.5
> 2001-08-01 08:40:31-05 | 211.21.58.10
> 2001-08-01 10:01:30-05 | 208.178.183.141
> 2001-08-01 11:31:49-05 | 66.68.109.22
> 2001-08-01 12:31:11-05 | 66.43.172.146
> 2001-08-01 12:44:27-05 | 209.104.64.140
> 2001-08-01 13:16:47-05 | 64.120.74.50
> 2001-08-02 03:46:11-05 | 203.49.23.2
> 2001-08-02 04:35:34-05 | 210.109.151.207
> 2001-08-02 05:23:56-05 | 210.164.65.122
> 2001-08-02 07:08:54-05 | 61.155.127.195
> 2001-08-02 07:14:42-05 | 134.28.70.208
> 2001-08-02 07:24:48-05 | 207.31.238.50
> 2001-08-02 07:47:30-05 | 211.135.200.187
> 2001-08-02 08:28:11-05 | 63.225.201.1
> 2001-08-02 09:33:17-05 | 210.83.155.248
> 2001-08-02 09:52:20-05 | 212.217.71.165
> 2001-08-02 12:16:00-05 | 61.144.182.73
> 2001-08-02 12:25:21-05 | 211.172.180.195
> 2001-08-02 13:06:59-05 | 209.210.64.76
> 2001-08-02 14:35:14-05 | 203.232.107.127
> 2001-08-02 16:37:43-05 | 24.9.187.96
> 2001-08-02 19:06:12-05 | 217.96.22.20
> 2001-08-02 20:12:17-05 | 148.208.155.14
> 2001-08-02 21:05:09-05 | 24.147.112.62
> 2001-08-02 23:11:56-05 | 211.47.137.110
> 2001-08-02 23:27:56-05 | 61.141.218.15
> 2001-08-03 00:10:09-05 | 217.109.194.178
> 2001-08-03 00:31:03-05 | 200.11.199.228
> 2001-08-03 00:38:22-05 | 207.86.78.211
> 2001-08-03 01:46:33-05 | 213.120.117.180
> 2001-08-03 03:31:45-05 | 203.251.198.98
> 2001-08-03 03:34:30-05 | 24.182.254.161
> 2001-08-03 03:51:04-05 | 209.15.189.33
> 2001-08-03 04:53:51-05 | 209.235.17.88
> 2001-08-03 05:41:50-05 | 212.150.116.13
> 2001-08-03 06:13:29-05 | 128.103.187.106
> 2001-08-03 07:11:39-05 | 24.229.76.131
> 2001-08-03 08:04:41-05 | 24.3.237.233
> 2001-08-03 08:07:00-05 | 210.148.224.4
> 2001-08-03 08:52:11-05 | 211.18.254.226
> 2001-08-03 10:08:10-05 | 211.75.138.244
> 2001-08-03 11:04:40-05 | 198.174.90.131
> 2001-08-03 12:31:41-05 | 211.189.140.229
> 2001-08-03 12:38:40-05 | 24.7.114.249
>(62 rows)
>
>worse, when i turned on normal text-format logging, i saw this:
>www.worm.com Accept: */* 64.130.248.101 - - [03/Aug/2001:16:11:29 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 200 1622 "-" "-"
>www.worm.com Accept: */* 194.78.202.75 - - [03/Aug/2001:16:12:38 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 200 1622 "-" "-"
>
>this is with a custom log format of
>LogFormat "%{Host}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" virtual
>
>so i'm getting "Host: www.worm.com" as an incoming header (which,
>trust me, is NOT a domain pointing to my server).
>
>comments? can i panic now?
>
>

-- 
EMACS == Eight Megabytes And Constantly Swapping

Who is John Galt?  galt@inconnu.isu.edu, that's who!
Reply to: