Code Red III

[fiznutz]

any one seen this,The logs are going crazy its supposedly called Nimda makes Code Red look like the folks on the retirement home ive gotten like 5 hits a min in contrast to Code Reds 68 per day this is for sure going to screw up M$ servers.
Ive tried with no succes to modify,was it whitesaints scripts to count this new bastard.But my unix skills are limited.
Check your logs its crazy!

[offets]

What's the message in the log?

[Red Phoenix]

I get the same thing. It's full of things like

GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 307

Fortunately, the latest BetterConsole has transparency and doesn't pop up all the way to the front when this happens.

[kegger64]

Go to:

http://www.cert.org/current/current_...ty.html#port80

for details...

[Red Phoenix]

I also found something at Norton's website. The interesting thing is they don't say that Norton Antivirus for the PC can even detect it. I guess it's too early for that.

[kegger64]

http://www.cert.org/body/advisories/..._FA200126.html

(Looks like it'll be a bad week for Windoze)

[fiznutz]

im sorry in the rush i said whitesaints scripts!
but i reallly meant davidbrit2 scripts!

[Darkshadow]

That <b>GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 307</b> is actually the backdoor hack that Code Red II implements ... this thing tries 16 different ways to infect a server, the backdoor Code Red II made being one of 'em. Freakin annoying, I've already gotten over 100 hits from this in the past hour and a half! And I'm only on a dialup connection. I'd hate to have an all-the-time connection, your log would get to monstrous proportions (Let me gloat, it's not like I usually get to say "Yeah, my 56K modem that only connects at 31200 bps is better than your T1/Cable/DSL." Heh)

I'm thinking I'll add to the daily script to clean out my http logs until this one blows over...