> Интересно, это только у меня где-то с пару часов назад начала такая вот
> фигня в логи ползти (стандартный набор запросов но с разных адресов) - или
> это очередной вирус имени IIS ?
>----- Forwarded message from "Braun, Mike" <MBraun@xxxxxxxxxxx> -----
> > From: "Braun, Mike" <MBraun@xxxxxxxxxxx>
> > Date: Tue, 18 Sep 2001 08:33:36 -0700
> > Subject: FW: Worm probes
> > To: "'nanog@xxxxxxxxx'" <nanog@xxxxxxxxx>
> >
> >
> > I received this warning from TruSecure regarding the latest worm attack.
> >
> > Mike Braun
> > First American CREDCO
> >
> > -----Original Message-----
> > TruSecure ALERT- TSA 01-023 - W32.nimda.a.mm
> >
> > Date: September 18, 2001
> > Time: 1000 EDT
> >
> > RISK INDICES:
> >
> > Initial Assessment: RED HOT
> >
> > Threat: VERY HIGH, (rapidly increasing)
> >
> > Vulnerability Prevalence: VERY HIGH, effects IIS servers version 4.0,
> > 5.0, and internal networks.
> >
> > Cost: High, command execution is possible
> >
> > Vulnerable Systems: IIS 4.0 and 5.0
> >
> > SUMMARY:
> > A new IIS worm is spreading rapidly. Its working name is Nimda:
> > W32.nimda.a.mm
> >
> > It started about 9am eastern time today, Tuesday,September 18, 2001,
> > Mulitple sensors world-wide run by TruSecure corporation are getting
> > multiple hundred hits per hour. And began at 9:08am am.
> >
> > The worm seems to be targeting IIS 4 and 5 boxes and tests boxes for
> > multiple vulnerabilities including:
> >
> > Almost all are get scripts, and a get msadc (cmd.exe)
> > get_mem_bin
> > vti_bin owssvr.dll
> > Root.exe
> > CMD.EXE
> > ../ (Unicode)
> > Getadmin.dll
> > Default.IDA
> > /Msoffice/ cltreq.asp
> >
> > This is not code red or a code red variant.
> >
> > The worm, like code red attempts to infect its local sub net first,
> > then spreads beyond the local address space.
> >
> > It is spreading very rapidly.
> >
> > TruSecure believes that this worm will infect any IIS 4 and IIS 5
> > box with well known vulnerabilities. We believe that there are
> > nearly 1Million such machines currently exposed to the Internet.
> >
> > Risks Indices:
> > Vulnerability VULNERABILITY PREVALANCE is very high - Milllions of
> > Internet Web server hosts: TruSecure process and essential
> > configurations should generally be protective. The vulnerability
> > prevalence world-wide is very high
> >
> > Threat - VERY HIGH and Growing The rate of growth and spread is
> > exceedingly rapid - significantly faster than any worm to date and
> > significantly faster than any variant of Code red.
> >
> > Cost -- Unknown, probably moderate per infected system.
> >
> >
> > The worm itself is a file called
> > README.EXE, or ADMIN.DLL
> > a 56K file which is advertised as an audio xwave mime type file.
> >
> > Other RISKS:
> > There is risk of DOS of network segments by traffic volume alone
> > There is large risk of successful attack to both Internet exposed IIS
> > boxes and to developer and Intranet boxes inside of corporations.
> >
> > Judging by the Code Red II experience, we expect many subtle routes
> > of infection leading to inside corporate infections.
> >
> > We cannot discount the coincidence of the date and time of release,
> > exactly one week to (probably to the minute) as the World Trade
> > Center attack .
> >
> >
> > REPLICATION:
> > There are at least three mechanisms of spread:
> > The worm seems to spread both by a direct IIS across Internet (IP
> > spread)
> > It probably also spreads by local shares. (this is not known for
> > sure at this time)
> > There is also an email vector where README.EXE is sent via email to
> > numerous accounts.
> >
> > Mitigations
> > TruSecure essential practices should work.
> > Block all email with EXE attachments
> > Filter for README.EXE
> > Make sure IIS boxes are well patched and hardened, or removed from
> > both the Internet and Intranets.
> > Make sure any developer computing platforms are not running IIS of
> > any version (many do so by default if either.
> > Disconnect mail from the Internet
> > Advise users not to double click on any unexpected attachments.
> > Update anti-virus when your vendor has the signature.
=============================================================================
= Apache-Talk@xxxxxxxxxxxxx mailing list =
Mail "unsubscribe apache-talk" to majordomo@xxxxxxxxxxxxx if you want to quit.
= Archive avaliable at http://www.lexa.ru/apache-talk =
"Russian Apache" includes software developed
by the Apache Group for use in the Apache HTTP server project
(http://www.apache.org/) See
Apache LICENSE.
Copyright (C) 1995-2001 The Apache Group. All rights reserved.
Copyright (C) 1996 Dm. Kryukov; Copyright (C)
1997-2009 Alex Tutubalin. Design (C) 1998 Max Smolev.