[NTLUG:Discuss] Next IIS Virus engaged...it's fast and spreading.
asenec@senechalle.net
asenec at senechalle.net
Tue Sep 18 22:13:48 CDT 2001
We're firewalling against the entire C to which
a scanning ipaddress belongs--this thing has caused
an 80% packet loss on our T3's and made our servers
virtually inaccessible.
Annette
> From discuss-admin at ntlug.org Tue Sep 18 21:48 CDT 2001
> From: kbrannen at gte.net
> User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.4) Gecko/20010913
> X-Accept-Language: en-us
> MIME-Version: 1.0
> To: discuss at ntlug.org
> Subject: Re: [NTLUG:Discuss] Next IIS Virus engaged...it's fast and spreading.
> Content-Transfer-Encoding: 7bit
> X-BeenThere: discuss at ntlug.org
> X-Mailman-Version: 2.0.3
> List-Help: <mailto:discuss-request at ntlug.org?subject=help>
> List-Post: <mailto:discuss at ntlug.org>
> List-Subscribe: <http://www.ntlug.org/mailman/listinfo/discuss>,
> <mailto:discuss-request at ntlug.org?subject=subscribe>
> List-Id: NTLUG Discussion List <discuss.ntlug.org>
> List-Unsubscribe: <http://www.ntlug.org/mailman/listinfo/discuss>,
> <mailto:discuss-request at ntlug.org?subject=unsubscribe>
> List-Archive: <http://www.ntlug.org/pipermail/discuss/>
> Date: Tue, 18 Sep 2001 16:35:38 -0500
>
> FYI, this does affect Apache on Linux machines, slightly. I noticed in my
> Apache logs this afternoon a number of "GET .../cmd.exe" (it's signature)
> followed by "httpd ... SIGTERM". So whatever it's doing, it can cause the
> children httpd process to die. The parent is unaffect and forks another
> child, so the end results is merely performance degradation, but there is an
> affect on Linux boxes. BTW, this is with Apache 1.3.12. I may try to upgrade
> one of our boxes tomorrow to 1.3.20 and see if that changes anything.
>
> While I had no serious thoughts about doing anything to the boxes that tried
> to hit us because of the Code Red virus, I truely am comptemplating sending
> email to "administrator" on each of the infected boxes I see from outside our
> LAN telling them they're infected, and maybe nicely tell them they would not
> have this problem if they ran Linux. :-)
>
> Kevin
>
>
> Jack Snodgrass wrote:
>
> > Thanks for the heads up.... yesterday and the day before I had about
> > 500 hits each to my error_log on my apache/linux box. So far today, (13
> > hours into the day ) over 36,000 hits to the error_log. This virus is
> > burning up a log of cycles/network traffic.
> >
> > jack
> >
> > ----- Original Message -----
> > From: "Chris Cox" <cjcox at acm.org>
> > To: <discuss at ntlug.org>
> > Sent: Tuesday, September 18, 2001 12:04 PM
> > Subject: [NTLUG:Discuss] Next IIS Virus engaged...it's fast and spreading.
> >
> >
> >>Apparently spreads (so I'm told) through IE (not IIS), but infects
> >>the IIS servers contacted by the browser (ick)... they in turn
> >>infect their web pages and propagate the spread... (I can't
> >>confirm all of this right now... I do know that I've seen
> >>over 95 hosts infected today here... we're doing a full
> >>port 80 shutdown).
> >>
> >>Be warned!
>
>
>
>
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss
>
More information about the Discuss
mailing list