[thelist] another worm?
Norman Bunn
norman.bunn at mindspring.com
Tue Sep 18 12:56:57 CDT 2001
One of my sites is being hammered with something trying to execute
Windows-type programs via the browser. Since I capture 404s, I am seeing
all this activity. Fortunately, this machine is running Linux, not Windows.
The attack is coming from multiple domains and is trying what appear to be
common directories for the Windows executables.
Strings I am seeing are:
/msadc/..%5c../..%5c../..%5c/..Á
../..Á
../..Á
../winnt/system32/cmd.exe
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
/d/winnt/system32/cmd.exe
/c/winnt/system32/cmd.exe
It looks like someone is trying to exploit the IIS Remote Execution
Vulnerability or something similar.
http://www.securiteam.com/exploits/6F00M2000A.html
Anyone else seeing this?
Norman
> ok, a few of our clients were hit this morning by something that
> tries to get your browser (on windows) to download a .eml file
> which it would then launch via an .exe...
>
> i can't get to any virus sites, since all web traffic coming and going
> is pretty hosed right now...
More information about the thelist
mailing list