Gossamer Forum
Quote Reply
New Virus?
Looks like there may be a new virus about. I keep seeing this in my logs:

213.206.5.65 - - [13/Sep/2001:16:53:16 +0100] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 276
213.206.5.65 - - [13/Sep/2001:16:53:16 +0100] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 274
213.206.5.65 - - [13/Sep/2001:16:53:17 +0100] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284
213.206.5.65 - - [13/Sep/2001:16:53:18 +0100] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 284
213.206.5.65 - - [13/Sep/2001:16:53:18 +0100] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
213.206.5.65 - - [13/Sep/2001:16:53:18 +0100] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
213.206.5.65 - - [13/Sep/2001:16:53:18 +0100] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
213.206.5.65 - - [13/Sep/2001:16:53:18 +0100] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 331
213.206.5.65 - - [13/Sep/2001:16:53:18 +0100] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
213.206.5.65 - - [13/Sep/2001:16:53:20 +0100] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
213.206.5.65 - - [13/Sep/2001:16:53:20 +0100] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
213.206.5.65 - - [13/Sep/2001:16:53:20 +0100] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 297
213.206.5.65 - - [13/Sep/2001:16:53:20 +0100] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 281
213.206.5.65 - - [13/Sep/2001:16:53:20 +0100] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 281
213.206.5.65 - - [13/Sep/2001:16:53:20 +0100] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
213.206.5.65 - - [13/Sep/2001:16:53:22 +0100] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298
Quote Reply
Re: [RedRum] New Virus? In reply to
Yup, think that is one we have got on our school network. We had to cut it off from emails, internet etc for fear of spreading it further. Not sure, but I think it is just a NT server thing, so your Cobalt should be ok.

Andy

Andy (mod)
andy@ultranerds.co.uk
Want to give me something back for my help? Please see my Amazon Wish List
GLinks ULTRA Package | GLinks ULTRA Package PRO
Links SQL Plugins | Website Design and SEO | UltraNerds | ULTRAGLobals Plugin | Pre-Made Template Sets | FREE GLinks Plugins!
Quote Reply
Re: [AndyNewby] New Virus? In reply to
It affects, Win9x/NT/IIS

I can't believe with all the virus warnings, the software, the documentation etc....that people are still stupid enough to open something like readme.exe

Apparently it is linked to the terrorist attacks.


Last edited by:

RedRum: Sep 20, 2001, 10:51 AM
Quote Reply
Re: [RedRum] New Virus? In reply to
>>
NIMDA VIRUS SPREADS IN ASIA

THE Nimda computer virus is attacking computers across Asia.

Experts report the it is clogging traffic, particularly disrupting access to US-based websites.

Nimda is more dangerous than many recent viruses because it possesses multiple mechanisms to facilitate its spread.

It can be caught by surfing infected sites or via an self-executing email attachment titled 'ReadMe.exe'.

The virus also exploits a known vulnerability in server software to infect business systems.

The effectiveness of Nimba was first detected in the US, prompting an instant investigation by the FBI and a statement from Attorney General John Ashcroft.

On Wednesday, the Australian government's computer networks were affected, causing Parliament House to shut down its website and stopping internal email for hundreds of staff.

According to antivirus experts Trend Micro, Japanese victims have included Yamanashi Gakuin University, video game makers Konami, the Kyodo News agency and the Chunichi newspaper.

Trend Micro's director of education David Perry explains the threat should have peaked now that computer users around the world have been alerted to its properties.

<<
Quote Reply
Re: [RedRum] New Virus? In reply to
Nimda's attacking my servers since yesterday, with a couple of requests per second. I'm on Linux, so there's no danger, but it causes a horrible slowdown in server performance. Frown

Last edited by:

thomas1: Sep 20, 2001, 11:20 AM
Quote Reply
Re: [thomas1] New Virus? In reply to
Im on Win98 :(

Well my "testing" server is. My real one is linux so we are ok there but it is really annoying

Im still getting /default.ida?xxxxxxxxxxxxx in my logs.

Last edited by:

RedRum: Sep 20, 2001, 11:35 AM
Quote Reply
Re: [RedRum] New Virus? In reply to
They say the worm attacks "16 known vulnerabilities" of W2K and NT. Well, if these are already known why the heck isn't M$ doing something about it??
Quote Reply
Re: [RedRum] New Virus? In reply to
Did anyone read that it attaches itself to servers and will dowload in the browser of people on that server? So even though this wouldn't happen, if gossamer had it, it would download in our browsers. its crazy.
RedRum, I read somewhere that it was not determined if it was linked to the terrorist attacks, but it is linked to Code Red since they looked at the source code and saw the same structure and the same attacks on iis holes. But it actually has its own little email server also. That's good programming even though it sucks.
Lavon Russell
LookHard Mods
lavon@lh.links247.net
Quote Reply
Re: [to-ma-su] New Virus? In reply to
Tiramisu (or whatever your name is now Smile),

Good point.
Quote Reply
Re: [Bmxer] New Virus? In reply to
Quote:
Did anyone read that it attaches itself to servers and will dowload in the browser of people on that server? So even though this wouldn't happen, if gossamer had it, it would download in our browsers. its crazy.

Yep:
Quote:
It can be caught by surfing infected sites or via an self-executing email attachment titled 'ReadMe.exe'.

Quote:
RedRum, I read somewhere that it was not determined if it was linked to the terrorist attacks,

It's me...Paul :)
Quote Reply
Re: [RedRum] New Virus? In reply to
Oh, i didn't read that you already made the point about the self executing, but i knew it was you paul, because of your sig. Wink
Lavon Russell
LookHard Mods
lavon@lh.links247.net

Last edited by:

Bmxer: Sep 20, 2001, 11:52 AM
Quote Reply
Re: [Bmxer] New Virus? In reply to
When you addressed me as RedRum I thought you thought I was someone else :)
Quote Reply
Re: [RedRum] New Virus? In reply to
Paul, as a matter of fact I do love Tiramisu. Smile

Here's what my hosting company sent out yesterday:

http://www.japanref.com/cert_advisory.txt
Quote Reply
Re: [to-ma-su] New Virus? In reply to
Mad

I'm getting hit at 1/3 secs. It got so bad that I turned on my internal firewall finally! Tongue I'm on a MAC !!!
My friend went to the dark side and now his W2000 is infected Shocked and he doesn't even open those stuped readme.exe files.

2 questions:
Is G-Forum still slow for you other folks? I'm crawling
On a *nix machine can you redirect such type of requests to another site ... ie M$ or a Porno site that has persistant pop windows, without your own IP being the offending reffering agent?




openoffice + gimp + sketch ... Smile
Quote Reply
Re: [QooQ] New Virus? In reply to
Quote:
Is G-Forum still slow for you other folks? I'm crawling

It's pretty quick for me now. Under 5 seconds per page - normally 2-3

Last edited by:

RedRum: Sep 20, 2001, 3:08 PM
Quote Reply
Re: [QooQ] New Virus? In reply to
Hi,

Gossamer should be back to full capacity right now. We replaced a hard drive, and everything seems to be going well. Let me know how you find it.

As for the redirect, you can use mod_rewrite to rewrite any request containing root.exe or default.ida to another site. Here's a sample:

Code:
# trap CodeRed and send them away!
<Location /default.ida>
RewriteEngine On
RewriteRule /default.ida http://www.microsoft.com/ [L]
</Location>
# trap exploits of code-red compromized systems.
<Files "*.exe">
RewriteEngine On
RewriteRule . http://www.microsoft.com/ [L]
</Files>
You may need to tweak the .exe if you actually have .exe files on your site. =)

Cheers,

Alex
--
Gossamer Threads Inc.

Last edited by:

Alex: Sep 21, 2001, 1:15 AM
Quote Reply
Re: [Alex] New Virus? In reply to
Blush

ummm ... does this go into http.conf ?

I also assume I need mod_rewrite.

Last check, my IPnumber won't show up at M$ will it ?

-------------------------------------

thanks Alex, I'm coming in from Japan and from what I read on the net, asia going towards the States is really affected ... Frown

-------------------------------------

Hopefully, once I figure this out ... where to put it and all. I'll be able to smile while I'm waiting each time for GT page to open!

Laugh

openoffice + gimp + sketch ... Smile
Quote Reply
Re: [QooQ] New Virus? In reply to
http://www.cert.org/...ries/CA-2001-26.html

Wil
Quote Reply
Re: [QooQ] New Virus? In reply to
Quote:
ummm ... does this go into http.conf ?

Yes or access.conf....
Quote Reply
Re: [RedRum] New Virus? In reply to
thanks Paul!

hmmm ...anybody doing this yet? Still a little worried about covering my IP from detection. ...

I really don't want to target M$ but being as big as there there servers can deal with it instead of my simple dev box. Wink


openoffice + gimp + sketch ... Smile
Quote Reply
Re: [QooQ] New Virus? In reply to
If you are worried about your IP, just point the requests to some crappy site that is likely to have no logs or point them to a nameserver or something ......

Last edited by:

RedRum: Sep 21, 2001, 5:37 AM
Quote Reply
Re: [RedRum] New Virus? In reply to
funny bad story. one worker in my office doesn't have a @ourcompany.com adress and he checks him other email. well he got the virus in that email and it spread to every pc copmuter in our offices. the webserver got 400 some odd page requests. and somehow it traveled over the network over to our other offices 2 blocks down. which only has an internet access so we can talk to it. i am not known as the pc guy thank god, so i didn't have to do anythin about it.
Quote Reply
Re: [poil11] New Virus? In reply to
Yikes! Just goes to show how careful you should be. I hope you had everything backed up. Best of luck.

Wil