[NTLUG:Discuss] Next IIS Virus engaged...it's fast and spreading.
kbrannen@gte.net
kbrannen at gte.net
Tue Sep 18 16:35:38 CDT 2001
FYI, this does affect Apache on Linux machines, slightly. I noticed in my
Apache logs this afternoon a number of "GET .../cmd.exe" (it's signature)
followed by "httpd ... SIGTERM". So whatever it's doing, it can cause the
children httpd process to die. The parent is unaffect and forks another
child, so the end results is merely performance degradation, but there is an
affect on Linux boxes. BTW, this is with Apache 1.3.12. I may try to upgrade
one of our boxes tomorrow to 1.3.20 and see if that changes anything.
While I had no serious thoughts about doing anything to the boxes that tried
to hit us because of the Code Red virus, I truely am comptemplating sending
email to "administrator" on each of the infected boxes I see from outside our
LAN telling them they're infected, and maybe nicely tell them they would not
have this problem if they ran Linux. :-)
Kevin
Jack Snodgrass wrote:
> Thanks for the heads up.... yesterday and the day before I had about
> 500 hits each to my error_log on my apache/linux box. So far today, (13
> hours into the day ) over 36,000 hits to the error_log. This virus is
> burning up a log of cycles/network traffic.
>
> jack
>
> ----- Original Message -----
> From: "Chris Cox" <cjcox at acm.org>
> To: <discuss at ntlug.org>
> Sent: Tuesday, September 18, 2001 12:04 PM
> Subject: [NTLUG:Discuss] Next IIS Virus engaged...it's fast and spreading.
>
>
>>Apparently spreads (so I'm told) through IE (not IIS), but infects
>>the IIS servers contacted by the browser (ick)... they in turn
>>infect their web pages and propagate the spread... (I can't
>>confirm all of this right now... I do know that I've seen
>>over 95 hosts infected today here... we're doing a full
>>port 80 shutdown).
>>
>>Be warned!
More information about the Discuss
mailing list