Anybody hear of a new worm based on Code Red? This guy that I am talking to seems to think so. Dave Forwarded message: > Some of this looks to be possibly a new worm that is making the rounds. I > will have one of my staff contact the owner of the server to see if they can > shut this down. > > On 18 Sep 2001, Dave Sherman wrote: > > > Hello, > > > > I am not one of your customers, but I run a website, and I have noticed > > that one of your hosts is scanning me for the Code Red 2 trojan. This is > > rather annoying, considering how long it has been since Code Red first > > appeared. I have included portions of my Apache logs for your > > convenience. I am located in Minneapolis, MN (Central Standard Time). > > You may reach me at dsherman at real-time.com > > > > Thank you for your prompt assistance, > > Dave Sherman > > > > SNIPPET FROM ERROR LOG: > > [Tue Sep 18 08:58:39 2001] [error] [client 208.20.99.1] File does not > > exist: /home/httpd/html/scripts/../../winnt/system32/cmd.exe > > [Tue Sep 18 08:58:39 2001] [error] [client 208.20.99.1] File does not > > exist: /home/httpd/html/scripts/..Á../winnt/system32/cmd.exe > > [Tue Sep 18 08:58:41 2001] [error] [client 208.20.99.1] File does not > > exist: /home/httpd/html/scripts/..%5c../winnt/system32/cmd.exe > > > > SNIPPET FROM ACCESS LOG: > > 208.20.99.1 - - [18/Sep/2001:08:58:41 -0500] "GET > > /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 > > 208.20.99.1 - - [18/Sep/2001:08:58:41 -0500] "GET > > /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 > > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available Url : http://shadowknight.real-time.com/pipermail/tclug-list/attachments/20010918/8d17ab1c/attachment.pgp